From 565e439340f5f31c2767e8b0372231bee08a6c7a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 15 Dec 2022 10:46:27 +0100 Subject: [PATCH] 5.15-stable patches added patches: nfp-fix-use-after-free-in-area_cache_get.patch --- ...fix-use-after-free-in-area_cache_get.patch | 74 +++++++++++++++++++ queue-5.15/series | 1 + 2 files changed, 75 insertions(+) create mode 100644 queue-5.15/nfp-fix-use-after-free-in-area_cache_get.patch diff --git a/queue-5.15/nfp-fix-use-after-free-in-area_cache_get.patch b/queue-5.15/nfp-fix-use-after-free-in-area_cache_get.patch new file mode 100644 index 00000000000..0feff5bb515 --- /dev/null +++ b/queue-5.15/nfp-fix-use-after-free-in-area_cache_get.patch @@ -0,0 +1,74 @@ +From 02e1a114fdb71e59ee6770294166c30d437bf86a Mon Sep 17 00:00:00 2001 +From: Jialiang Wang +Date: Wed, 10 Aug 2022 15:30:57 +0800 +Subject: nfp: fix use-after-free in area_cache_get() + +From: Jialiang Wang + +commit 02e1a114fdb71e59ee6770294166c30d437bf86a upstream. + +area_cache_get() is used to distribute cache->area and set cache->id, + and if cache->id is not 0 and cache->area->kref refcount is 0, it will + release the cache->area by nfp_cpp_area_release(). area_cache_get() + set cache->id before cpp->op->area_init() and nfp_cpp_area_acquire(). + +But if area_init() or nfp_cpp_area_acquire() fails, the cache->id is + is already set but the refcount is not increased as expected. At this + time, calling the nfp_cpp_area_release() will cause use-after-free. + +To avoid the use-after-free, set cache->id after area_init() and + nfp_cpp_area_acquire() complete successfully. + +Note: This vulnerability is triggerable by providing emulated device + equipped with specified configuration. + + BUG: KASAN: use-after-free in nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760) + Write of size 4 at addr ffff888005b7f4a0 by task swapper/0/1 + + Call Trace: + + nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760) + area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:884) + + Allocated by task 1: + nfp_cpp_area_alloc_with_name (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:303) + nfp_cpp_area_cache_add (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:802) + nfp6000_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:1230) + nfp_cpp_from_operations (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:1215) + nfp_pci_probe (drivers/net/ethernet/netronome/nfp/nfp_main.c:744) + + Freed by task 1: + kfree (mm/slub.c:4562) + area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:873) + nfp_cpp_read (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:924 drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:973) + nfp_cpp_readl (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cpplib.c:48) + +Signed-off-by: Jialiang Wang +Reviewed-by: Yinjun Zhang +Acked-by: Simon Horman +Link: https://lore.kernel.org/r/20220810073057.4032-1-wangjialiang0806@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c ++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c +@@ -874,7 +874,6 @@ area_cache_get(struct nfp_cpp *cpp, u32 + } + + /* Adjust the start address to be cache size aligned */ +- cache->id = id; + cache->addr = addr & ~(u64)(cache->size - 1); + + /* Re-init to the new ID and address */ +@@ -894,6 +893,8 @@ area_cache_get(struct nfp_cpp *cpp, u32 + return NULL; + } + ++ cache->id = id; ++ + exit: + /* Adjust offset */ + *offset = addr - cache->addr; diff --git a/queue-5.15/series b/queue-5.15/series index 232cd09287a..11512741df0 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -1,2 +1,3 @@ x86-vdso-conditionally-export-__vdso_sgx_enter_enclave.patch vfs-fix-copy_file_range-averts-filesystem-freeze-protection.patch +nfp-fix-use-after-free-in-area_cache_get.patch -- 2.47.3