Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp952282ybe; Mon, 2 Sep 2019 11:48:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqw1smwd6Hl8nYhSSEbj1s6zUMU0py4VIzkYOCYBM1q4tIXoVSAJxH0akI9U/wHItjJx38Hk X-Received: by 2002:a63:2264:: with SMTP id t36mr25297321pgm.87.1567450115904; Mon, 02 Sep 2019 11:48:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567450115; cv=none; d=google.com; s=arc-20160816; b=ol3Y6YQ5cMg1PBmAh87AovcOjCcKne6bEvQG9fpMhLCg835RT7lsysbBnGB6ytPBkm xiOXSz/Ka5+ndN1PkDIvHZbeFBNgAw3yR2ROV50LpH4v3h3NWWQSwyQERMbNMH7P6JRd s5Q5kmufF48Xm3OQjmhnnkTbh4RqHozuNHap9hxN3r0MVcW87fnRBy79wj0tcqoeRNTW BgCP9vhbwVbLBeYu+BjzjWWf9LHlF9Qxy68iSnnJM8r3RHfDTaIgGumgRfoFWmWydvTl VnlGaIQguvlG1o9TRgsASNwUBCXiNzQlA/UhqtxYKLkNFEdl53R9R4jWIf/fDFcauqT1 qPcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-signature; bh=jvdK4Jen2RCEgg6SQll6JQs4XBc0TdXI2+8sajCKgts=; b=cs+gDelK/CNDkDNk323K/879b1CF3KU4DvPNhPNdhkXGYXv++fpXY1pEPCd+yhccxJ 9UGuXyamrbw2Ns7Qb2aa7dy9FPV4i+2vtAcxFPkY1shRR1IRTpjpS87R0QijGxZY6w9B 8lJ36B0AbW0Wqmxaj/ddgZ3DKlAxjg3KPZHZd2ADruB54L2QWJo9bCrKCQTbCAWcDvSe D3AHi++PRTvQ7Xs6iWrnSiAdmOGvvdZvMdGCcjWmLhznAnwRh2jpFtW2smGn/TIYZzlc GW58NQmBdugYqn5qVfG+Fr5uIANvfXspR6Ij3DxZpVy6i38zEUcjiuCasJ7DrNz0VSqy gKiQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kroah.com header.s=fm1 header.b=HisKgtPm; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=QabHFEFQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cp4si13155834plb.330.2019.09.02.11.48.19; Mon, 02 Sep 2019 11:48:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kroah.com header.s=fm1 header.b=HisKgtPm; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=QabHFEFQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727001AbfIBSr1 (ORCPT + 99 others); Mon, 2 Sep 2019 14:47:27 -0400 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:46253 "EHLO wout4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726849AbfIBSr1 (ORCPT ); Mon, 2 Sep 2019 14:47:27 -0400 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 061EF603; Mon, 2 Sep 2019 14:47:25 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Mon, 02 Sep 2019 14:47:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kroah.com; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm1; bh=jvdK4Jen2RCEgg6SQll6JQs4XBc 0TdXI2+8sajCKgts=; b=HisKgtPmjyc50Q51dI6x7O1Av5K1DiCIy1weJNbAQyw NfaB/lELa/xXGitPGzwxdP4YKIE5eQuWRkY8OjLThDrlGjy4wIRPCCCM0F8J5yPs qnP44YP0hxLE5FZeJUtyhvgNsI36Mqeol2P+TGQHDyxUlnlN4j18++cV/3tV+IE4 sAx5isdqwoWqGWF3ztVVWl96xGEWu4nsEKeqldn2PPpiiLFAevmLCqR9yIdMbVmX 7VabDz+NgxGWM6wbJXuNX/lmuqFw8setF43TKQVJmr81WNCjoYdQrIIVI4293eSI SD26MTg73bvsdM4RUMeiIIQI+q+6M7LCyMLotBZpeuQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=jvdK4J en2RCEgg6SQll6JQs4XBc0TdXI2+8sajCKgts=; b=QabHFEFQWkHTq5vl5QGksW rlyGRzCUhfuiZzb5RYyNPXDoPeynBP7U1fZBhwrCOiEiK9+QQuHrDu4ELhGYuMvr 5jpPp3vdaENeP2I8C3f3+aMAaypPBSHRNU5n7/hgekMNR0Ju+G8mTyUDgV6DRznD c9o17kbAdA/rsu6g9nVWcUuZp7npeavjk5SgP//4v1++65Fdd6tTilrE9/Jh63vs YHrXAubgBr5lqclByIZogtLha5AikIG2OogvGmkCz4URX5EBABHpcHUiHhN2ddjf aBuGRkOyA0Md9CKU8Zqlzooni5O2EyQ39ojLYSrIO5crmHIUVbJjLVUO8DZDquPQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrudejtddgudeftdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggujggfsehttdertddtredvnecuhfhrohhmpefirhgv ghcumffjuceoghhrvghgsehkrhhorghhrdgtohhmqeenucfkphepkeefrdekiedrkeelrd dutdejnecurfgrrhgrmhepmhgrihhlfhhrohhmpehgrhgvgheskhhrohgrhhdrtghomhen ucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) by mail.messagingengine.com (Postfix) with ESMTPA id 46D188005B; Mon, 2 Sep 2019 14:47:24 -0400 (EDT) Date: Mon, 2 Sep 2019 20:47:22 +0200 From: Greg KH To: Guenter Roeck Cc: Kalle Valo , Hui Peng , security@kernel.org, Mathias Payer , "David S. Miller" , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] Fix a double free bug in rsi_91x_deinit Message-ID: <20190902184722.GC5697@kroah.com> References: <20190819220230.10597-1-benquike@gmail.com> <20190831181852.GA22160@roeck-us.net> <87k1asqw87.fsf@kamboji.qca.qualcomm.com> <385361d3-048e-9b3f-c749-aa5861e397e7@roeck-us.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <385361d3-048e-9b3f-c749-aa5861e397e7@roeck-us.net> User-Agent: Mutt/1.12.1 (2019-06-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Sep 01, 2019 at 07:08:29AM -0700, Guenter Roeck wrote: > On 9/1/19 1:03 AM, Kalle Valo wrote: > > Guenter Roeck writes: > > > > > On Mon, Aug 19, 2019 at 06:02:29PM -0400, Hui Peng wrote: > > > > `dev` (struct rsi_91x_usbdev *) field of adapter > > > > (struct rsi_91x_usbdev *) is allocated and initialized in > > > > `rsi_init_usb_interface`. If any error is detected in information > > > > read from the device side, `rsi_init_usb_interface` will be > > > > freed. However, in the higher level error handling code in > > > > `rsi_probe`, if error is detected, `rsi_91x_deinit` is called > > > > again, in which `dev` will be freed again, resulting double free. > > > > > > > > This patch fixes the double free by removing the free operation on > > > > `dev` in `rsi_init_usb_interface`, because `rsi_91x_deinit` is also > > > > used in `rsi_disconnect`, in that code path, the `dev` field is not > > > > (and thus needs to be) freed. > > > > > > > > This bug was found in v4.19, but is also present in the latest version > > > > of kernel. > > > > > > > > Reported-by: Hui Peng > > > > Reported-by: Mathias Payer > > > > Signed-off-by: Hui Peng > > > > > > FWIW: > > > > > > Reviewed-by: Guenter Roeck > > > > > > This patch is listed as fix for CVE-2019-15504, which has a CVSS 2.0 score > > > of 10.0 (high) and CVSS 3.0 score of 9.8 (critical). > > > > A double free in error path is considered as a critical CVE issue? I'm > > very curious, why is that? > > > > You'd have to ask the people assigning CVSS scores. However, if the memory > was reallocated, that reallocated memory (which is still in use) is freed. > Then all kinds of bad things can happen. Yes, but moving from "bad things _can_ happen" to "bad things happen" in an instance like this will be a tough task. It also requires physical access to the machine. Anyway, that doesn't mean we shouldn't fix it, it's just that CVSS can be crazy when it comes to kernel patches (i.e. almost all fixes should be "critical"...) thanks, greg k-h