From 1798c9c14512211bf87e54c7de8e593967054ec4 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 15 Dec 2022 10:45:53 +0100 Subject: [PATCH] 4.14-stable patches added patches: nfp-fix-use-after-free-in-area_cache_get.patch --- ...fix-use-after-free-in-area_cache_get.patch | 74 +++++++++++++++++++ queue-4.14/series | 1 + 2 files changed, 75 insertions(+) create mode 100644 queue-4.14/nfp-fix-use-after-free-in-area_cache_get.patch diff --git a/queue-4.14/nfp-fix-use-after-free-in-area_cache_get.patch b/queue-4.14/nfp-fix-use-after-free-in-area_cache_get.patch new file mode 100644 index 00000000000..2fc8153750e --- /dev/null +++ b/queue-4.14/nfp-fix-use-after-free-in-area_cache_get.patch @@ -0,0 +1,74 @@ +From 02e1a114fdb71e59ee6770294166c30d437bf86a Mon Sep 17 00:00:00 2001 +From: Jialiang Wang +Date: Wed, 10 Aug 2022 15:30:57 +0800 +Subject: nfp: fix use-after-free in area_cache_get() + +From: Jialiang Wang + +commit 02e1a114fdb71e59ee6770294166c30d437bf86a upstream. + +area_cache_get() is used to distribute cache->area and set cache->id, + and if cache->id is not 0 and cache->area->kref refcount is 0, it will + release the cache->area by nfp_cpp_area_release(). area_cache_get() + set cache->id before cpp->op->area_init() and nfp_cpp_area_acquire(). + +But if area_init() or nfp_cpp_area_acquire() fails, the cache->id is + is already set but the refcount is not increased as expected. At this + time, calling the nfp_cpp_area_release() will cause use-after-free. + +To avoid the use-after-free, set cache->id after area_init() and + nfp_cpp_area_acquire() complete successfully. + +Note: This vulnerability is triggerable by providing emulated device + equipped with specified configuration. + + BUG: KASAN: use-after-free in nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760) + Write of size 4 at addr ffff888005b7f4a0 by task swapper/0/1 + + Call Trace: + + nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760) + area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:884) + + Allocated by task 1: + nfp_cpp_area_alloc_with_name (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:303) + nfp_cpp_area_cache_add (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:802) + nfp6000_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:1230) + nfp_cpp_from_operations (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:1215) + nfp_pci_probe (drivers/net/ethernet/netronome/nfp/nfp_main.c:744) + + Freed by task 1: + kfree (mm/slub.c:4562) + area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:873) + nfp_cpp_read (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:924 drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:973) + nfp_cpp_readl (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cpplib.c:48) + +Signed-off-by: Jialiang Wang +Reviewed-by: Yinjun Zhang +Acked-by: Simon Horman +Link: https://lore.kernel.org/r/20220810073057.4032-1-wangjialiang0806@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c ++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c +@@ -858,7 +858,6 @@ area_cache_get(struct nfp_cpp *cpp, u32 + } + + /* Adjust the start address to be cache size aligned */ +- cache->id = id; + cache->addr = addr & ~(u64)(cache->size - 1); + + /* Re-init to the new ID and address */ +@@ -878,6 +877,8 @@ area_cache_get(struct nfp_cpp *cpp, u32 + return NULL; + } + ++ cache->id = id; ++ + exit: + /* Adjust offset */ + *offset = addr - cache->addr; diff --git a/queue-4.14/series b/queue-4.14/series index ba5e71e8e8f..2336dbfdc07 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -3,3 +3,4 @@ once-add-do_once_slow-for-sleepable-contexts.patch mm-khugepaged-fix-gup-fast-interaction-by-sending-ipi.patch mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-collapse-paths.patch block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch +nfp-fix-use-after-free-in-area_cache_get.patch -- 2.47.3