Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp3402897pxy; Mon, 26 Apr 2021 00:28:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJziY+6dVoBlGbwCUDABxqDiMPmHbVW9KOtGkNttsfWNOo54Q6xZM78u/TLfXtXApGkq1fyi X-Received: by 2002:a17:906:87c4:: with SMTP id zb4mr4604363ejb.519.1619422122650; Mon, 26 Apr 2021 00:28:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619422122; cv=none; d=google.com; s=arc-20160816; b=BTyYtMj/1zFPCH/F2iPqMwqxwGXgBEY7vcQkJo5UdZZqm+P8yKgUcHSAo7ODjoocyP DKcdPi3pyX358r+nVUU9fKSMCoebzGKm5CQo1w3oGsya/XxpThi9P+khIKTFTPScMabx WBw3MwGGHNhkQSOS33uMaEd4ABMTsd2Rj27ybNX1QLAryJjh8NFsKB3xp9K2Eneh9afC ZTw9Nn/4l/fG5ariYAlpftwv+uUTal7Hv2q/i2dUOp+01wUmsG0XfxphPNa3T/kvdBC5 fLiiw4tidmh4BCOADVf6ptl1eNnUUTVL7r9Yu00qnXYUBjONESvW1v0zMYU1UXBQOW46 RVAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:content-transfer-encoding:references :importance:sensitivity:mime-version:date:cc:to:from:subject :in-reply-to:dkim-signature; bh=HtXloDZ38JnKKbC6QD1UeOxDeLycabWHFLqjAzM9I9g=; b=DNGvxa/CbpQfODUhv7G6KAv6d7L7jRqCI8RaYltaCeDY/iiXLT63d+GCWaP+jtS5Pj ByjqUPXIcBcNjC0sHtSq632UrEjIPi1OyuweUf32+k0WUAio0zlejWRhH1g5gPB2X8u2 TE4btOYG7Qo/CKWrrFuQlGf8l1mWX15klBLIETxOrpyqVCSDJBzUwaTZrve55GYEMaS9 4PANkw3Qe1DEpjgJqS8+T1dfUg3kOxfcrqW9btgpyCTlOerf6gGC51fRD8Q3Pvo+NRAY O6MR5Yxh6sn5MkFGxSt2zN/mN3/DJZUULl0addhdRA53h91lUf1R8yXv3p6za30QJEGE G74A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=Ouae7rTO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f13si11987688edx.371.2021.04.26.00.28.19; Mon, 26 Apr 2021 00:28:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=Ouae7rTO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232103AbhDZH1b (ORCPT + 99 others); Mon, 26 Apr 2021 03:27:31 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:36068 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S232099AbhDZH1a (ORCPT ); Mon, 26 Apr 2021 03:27:30 -0400 Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 13Q72dC9107758 for ; Mon, 26 Apr 2021 03:26:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=in-reply-to : subject : from : to : cc : date : mime-version : references : content-transfer-encoding : content-type : message-id; s=pp1; bh=HtXloDZ38JnKKbC6QD1UeOxDeLycabWHFLqjAzM9I9g=; b=Ouae7rTOIx7SQ9RSM/1jL+hQYa/wsTCh0OBWwbAlichDENoJA5zHFs21OmWqLKymThM4 BWCEqog0m04iqHL5TmqVOPcFuHMOEKKumnru/TP1iMV0FSnvtJxcvppq+7PWIxVNesCJ TBclJM1KG4INoBLp7FiwWcJzet2AGUg2LNN/8IJfaMl0fcgmw8SP09DTBwtwyRdLWzKF g6vzXA9gvaaM8MeA00gyfXKBEGRjwL0yvLCKHoWl8ZMQvS02tQOQfHXPUvBXuZwr4sn1 wlWYV7dZoXPttl9p+uG4pL/GQ3W1fiksapoqqcVDzPaSezCA1CJxxV0dCl4pUgXMUaf6 1w== Received: from smtp.notes.na.collabserv.com (smtp.notes.na.collabserv.com [158.85.210.110]) by mx0b-001b2d01.pphosted.com with ESMTP id 385rge93sv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 26 Apr 2021 03:26:49 -0400 Received: from localhost by smtp.notes.na.collabserv.com with smtp.notes.na.collabserv.com ESMTP for from ; Mon, 26 Apr 2021 07:26:48 -0000 Received: from us1b3-smtp02.a3dr.sjc01.isc4sb.com (10.122.7.175) by smtp.notes.na.collabserv.com (10.122.47.50) with smtp.notes.na.collabserv.com ESMTP; Mon, 26 Apr 2021 07:26:45 -0000 Received: from us1b3-mail162.a3dr.sjc03.isc4sb.com ([10.160.174.187]) by us1b3-smtp02.a3dr.sjc01.isc4sb.com with ESMTP id 2021042607264488-116828 ; Mon, 26 Apr 2021 07:26:44 +0000 In-Reply-To: <20210426011647.3561-1-lyl2019@mail.ustc.edu.cn> Subject: Re: [PATCH v2] rdma/siw: Fix a use after free in siw_alloc_mr From: "Bernard Metzler" To: "Lv Yunlong" Cc: "dledford" , "jgg" , "linux-rdma" , "linux-kernel" , leon@kernel.org Date: Mon, 26 Apr 2021 07:26:45 +0000 MIME-Version: 1.0 Sensitivity: Importance: Normal X-Priority: 3 (Normal) References: <20210426011647.3561-1-lyl2019@mail.ustc.edu.cn> X-Mailer: IBM iNotes ($HaikuForm 1054.1) | IBM Domino Build SCN1812108_20180501T0841_FP130 January 13, 2021 at 14:04 X-KeepSent: EDD7FB92:558D79F3-002586C3:0028E6C4; type=4; name=$KeepSent X-LLNOutbound: False X-Disclaimed: 52767 X-TNEFEvaluated: 1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 x-cbid: 21042607-1059-0000-0000-000003C53746 X-IBM-SpamModules-Scores: BY=0.060901; FL=0; FP=0; FZ=0; HX=0; KW=0; PH=0; SC=0; ST=0; TS=0; UL=0; ISC=; MB=0.018379 X-IBM-SpamModules-Versions: BY=3.00014940; HX=3.00000242; KW=3.00000007; PH=3.00000004; SC=3.00000296; SDB=6.01526391; UDB=6.00825164; IPR=6.01308321; MB=3.00036522; MTD=3.00000008; XFM=3.00000015; UTC=2021-04-26 07:26:46 X-IBM-AV-DETECTION: SAVI=unsuspicious REMOTE=unsuspicious XFE=unused X-IBM-AV-VERSION: SAVI=2021-03-23 12:31:21 - 6.00012377 x-cbparentid: 21042607-1060-0000-0000-00008A6F4D88 Message-Id: X-Proofpoint-ORIG-GUID: Nq7dC6tyzFUY004ywwPRvgaDwA1RR551 X-Proofpoint-GUID: Nq7dC6tyzFUY004ywwPRvgaDwA1RR551 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-04-25_11:2021-04-23,2021-04-25 signatures=0 X-Proofpoint-Spam-Reason: orgsafe Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org -----"Lv Yunlong" wrote: ----- >To: bmt@zurich.ibm.com, dledford@redhat.com, jgg@ziepe.ca >From: "Lv Yunlong" >Date: 04/26/2021 03:17AM >Cc: linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, "Lv >Yunlong" >Subject: [EXTERNAL] [PATCH v2] rdma/siw: Fix a use after free in >siw=5Falloc=5Fmr > >Our code analyzer reported a uaf. > >In siw=5Falloc=5Fmr, it calls siw=5Fmr=5Fadd=5Fmem(mr,..). In the >implementation >of siw=5Fmr=5Fadd=5Fmem(), mem is assigned to mr->mem and then mem is freed >via kfree(mem) if xa=5Falloc=5Fcyclic() failed. Here, mr->mem still point >to a freed object. After, the execution continue up to the err=5Fout >branch >of siw=5Falloc=5Fmr, and the freed mr->mem is used in >siw=5Fmr=5Fdrop=5Fmem(mr). > >My patch moves "mr->mem =3D mem" behind the if (xa=5Falloc=5Fcyclic(..)<0) >{} >section, to avoid the uaf. > >Fixes: 2251334dcac9e ("rdma/siw: application buffer management") >Signed-off-by: Lv Yunlong >--- > drivers/infiniband/sw/siw/siw=5Fmem.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/drivers/infiniband/sw/siw/siw=5Fmem.c >b/drivers/infiniband/sw/siw/siw=5Fmem.c >index 34a910cf0edb..96b38cfbb513 100644 >--- a/drivers/infiniband/sw/siw/siw=5Fmem.c >+++ b/drivers/infiniband/sw/siw/siw=5Fmem.c >@@ -106,8 +106,6 @@ int siw=5Fmr=5Fadd=5Fmem(struct siw=5Fmr *mr, struct >ib=5Fpd *pd, void *mem=5Fobj, > mem->perms =3D rights & IWARP=5FACCESS=5FMASK; > kref=5Finit(&mem->ref); >=20 >- mr->mem =3D mem; >- > get=5Frandom=5Fbytes(&next, 4); > next &=3D 0x00ffffff; >=20 >@@ -116,6 +114,8 @@ int siw=5Fmr=5Fadd=5Fmem(struct siw=5Fmr *mr, struct >ib=5Fpd *pd, void *mem=5Fobj, > kfree(mem); > return -ENOMEM; > } >+ >+ mr->mem =3D mem; > /* Set the STag index part */ > mem->stag =3D id << 8; > mr->base=5Fmr.lkey =3D mr->base=5Fmr.rkey =3D mem->stag; >--=20 >2.25.1 > > > Lv Yunlong, many thanks for catching, and thanks to Leon for improving it. Reviewed-by: Bernard Metzler