Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2815938pxb; Tue, 13 Apr 2021 10:48:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzfGPE0tO3foX4AbrXf0sj6lHsshL18XK6DT1z3e3S1tdo68PwHOJwrHEDwVgFM62y/wPL0 X-Received: by 2002:a17:906:4154:: with SMTP id l20mr10046488ejk.509.1618336122472; Tue, 13 Apr 2021 10:48:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618336122; cv=none; d=google.com; s=arc-20160816; b=m4D/fUbLOePeog8+yAOeAtjgXvtC+ULSOxEfcbZn/uPHN1EurIJzWX1DeXTnKJvA3k DNRBdOXOd7ZL9ugSMvEfSzX1VCq1ZPMfGYSF2bXQYsy6D63XWX7TFxbVEa0ydrgL96jw orUPSljjzscFw23K7CfFZKRBCb4pgcWPW7Ja++6zhEmhmxzZyOVKfZCMOYE+kNif5vPz xDCYesKWg9/2czp/zmwHi8yKzm85Bn1J5E3OkS+E+Bbq+2LsEAGqu4rv6s1y61nxPJc5 yRtwQpV66C/1Z0J7dWLZo6rIo5iKOusyE4dZR/O4h26MHOxCSe/EUUJYqOkyDe5wYjQt 0Ymw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=viU+fHMEqdW75c5aw+RUzyVT5kieLjfcDxdSRhzyk6k=; b=oD97kE47JIwmnu95k6CNTQsw6mImEtCdPX4xJGEVMDUaHUr580ly/b/OBYnm8ArwRQ AAdNsOxs8BPJlVawyX5QYFJqJr0WkSwHHCPmFwSPgeV9JFJbHdf3/Mh5mAp5tKpAYGIx fiAcPEdhn52i6teS9ZmV3iHlLPZNjbf8lvKN330Qvjy3l8nGWn//bzab3a9oeLAlRyxR Ez65t3OUFN237m/uJqxim4MUVMez2Ea9akcrwCWdK3a0vVFA/1uo9MSjJqYc8MRI6LpY Q9i03rzITgW+WBcLH9lyPysvlua5erddGHCUt6WskmXYamKoocfyviC84V4gwXOqb0c9 yvQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id yw20si7918326ejb.603.2021.04.13.10.48.16; Tue, 13 Apr 2021 10:48:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245108AbhDMLq5 (ORCPT + 99 others); Tue, 13 Apr 2021 07:46:57 -0400 Received: from mail-wr1-f48.google.com ([209.85.221.48]:46737 "EHLO mail-wr1-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238852AbhDMLqw (ORCPT ); Tue, 13 Apr 2021 07:46:52 -0400 Received: by mail-wr1-f48.google.com with SMTP id c15so7177946wro.13; Tue, 13 Apr 2021 04:46:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=viU+fHMEqdW75c5aw+RUzyVT5kieLjfcDxdSRhzyk6k=; b=BeWTm08FkCV7S6DNaD7QeKz6P/1J5jCJuDufJs9fJqpKLf2neQ3bRhokUvgMpP45Ow 5raV3HU3J8nPVk2VpBsbFBC1tE0WzBnz5ZbgzQvTTZh/uvs+iEK+8TToXP2JijabSUgZ qlImlKQ26d0lqlRloUPWVW+A4K+H2xmyc4WQUK2h6eJR7AnvA8LmgHHDtLyAsLKRCiSX 55kndmo6ca0okjjkXrNVin3QzXhj+OahvjuTumO0cxNpfNeSMOkI+OmMLIWz67IUSdgT wQA8k2+L5jh9A0GQ7piaA5N4KTynF7yILwmbeNBdiBpo6KODigYc9ucQcaWo9/ZD4fSI ZnAQ== X-Gm-Message-State: AOAM5315MoctdN2ejRRXdCldU34/IZTAkzAQ4vsCFO97dA9cq2ZElB3B pHDCPoRtt40NIOrnxfMnDrc= X-Received: by 2002:a5d:4f82:: with SMTP id d2mr9977881wru.228.1618314392433; Tue, 13 Apr 2021 04:46:32 -0700 (PDT) Received: from liuwe-devbox-debian-v2 ([51.145.34.42]) by smtp.gmail.com with ESMTPSA id b206sm2226445wmc.15.2021.04.13.04.46.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Apr 2021 04:46:31 -0700 (PDT) Date: Tue, 13 Apr 2021 11:46:30 +0000 From: Wei Liu To: Dan Carpenter Cc: "K. Y. Srinivasan" , Haiyang Zhang , Stephen Hemminger , Wei Liu , Greg Kroah-Hartman , Dexuan Cui , linux-hyperv@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, Michael Kelley Subject: Re: [PATCH] Drivers: hv: vmbus: Use after free in __vmbus_open() Message-ID: <20210413114630.szpbtjxidefh566g@liuwe-devbox-debian-v2> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 13, 2021 at 01:50:04PM +0300, Dan Carpenter wrote: > The "open_info" variable is added to the &vmbus_connection.chn_msg_list, > but the error handling frees "open_info" without removing it from the > list. This will result in a use after free. First remove it from the > list, and then free it. > > Fixes: 6f3d791f3006 ("Drivers: hv: vmbus: Fix rescind handling issues") > Signed-off-by: Dan Carpenter > --- > From static analysis. Untested etc. There is almost certainly a good > reason to add it to the list before checking "newchannel->rescind" but I > don't know the code well enough to know what the reason is. > AIUI the channel management code requires the message be queued before posting the message to backend, because processing response is done in another thread, and might happen before this message is added to the list if the order is reversed. > drivers/hv/channel.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c > index db30be8f9cce..1c5a418c1962 100644 > --- a/drivers/hv/channel.c > +++ b/drivers/hv/channel.c > @@ -653,7 +653,7 @@ static int __vmbus_open(struct vmbus_channel *newchannel, > > if (newchannel->rescind) { > err = -ENODEV; > - goto error_free_info; > + goto error_clean_msglist; Looking at similar functions in the same file I think there is indeed an UAF problem in the original code. I have not studied this piece of code extensively so I will wait for others to chime in. Wei. > } > > err = vmbus_post_msg(open_msg, > -- > 2.30.2 >