Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp6149133pxb;
        Mon, 14 Feb 2022 16:58:15 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyuISAuSdyqHBF1lz/vcKTPS3Psnp2srI5niLHPb5IqvGh9XhtTH+34ep1HCW5gT36U0Lt5
X-Received: by 2002:a63:2a53:: with SMTP id q80mr1468972pgq.143.1644886695045;
        Mon, 14 Feb 2022 16:58:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1644886695; cv=none;
        d=google.com; s=arc-20160816;
        b=YaPQO0CAm2TDphIkFTBrKjAN4+11XAeB1v21gUDW61u6xV52jqCTUpTk2dSwkMqk7N
         jWTmK3wgwXub1V49Sj+4I0dbTEGKsAYPly1kS+8eCGWb4rMWEi5ixk6XE5io0xslwOrY
         i4mhzmEQit1KQ3578eU4++nHMYh/A0MmbJP+n7diSc3cwsOpxUsj8mKwVX0jQIOq+Jwn
         PxngDf3bsE0QcrB4gRz81KUz5HRHtdqFxkHPUUnDFSGmOCLtOmkwsUFfsqiuYi+t3FP1
         Bz62l/AQG1dznbeU/50mFxM+nEuLssuF138tPq8safcio000XYbgekRPkTFUDGePR+WZ
         Pcag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:date:cc:to:from:subject
         :message-id;
        bh=O5NCvgiOr2pHGCHnv1Y9Mba/ZU3956NUP5/GEg49W8o=;
        b=krAMxbXUuMY8sdYO4c6kRde5i5qhszamrArxUmAJdnODRtycCIDTce6liBqGlidGyr
         s3cL6cs5by8lV0ZQRixIMMT9o7Ndx6N8K6MxX8bzNuhFsozblf+hYkP/N06pv7/HYB3I
         vG59d8lnnXb+zN6xcujyArLsFRiLcPgJs8AcdJCeFsIBYDCndHD5s2B3RUsodmnuMqa5
         ghHgqca5XBJT+Y5ipxzAwdF6mLpY3ozqk2WCfPbkvJXGGwsr189abutY/NEuVKSfZnlZ
         98arSe/Z4ApDe2PPZJ01MPQ1ZG2Ko+NfWHBEu38axxf4d6MRrvFe3lw/ilM2qNazhkf3
         JR+w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id d73si1139352pga.811.2022.02.14.16.57.58;
        Mon, 14 Feb 2022 16:58:15 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232274AbiBOAy2 (ORCPT <rfc822;andrey.bzh.r@gmail.com>
        + 99 others); Mon, 14 Feb 2022 19:54:28 -0500
Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:53776 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230096AbiBOAyX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Feb 2022 19:54:23 -0500
X-Greylist: delayed 531 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 14 Feb 2022 16:53:56 PST
Received: from codeconstruct.com.au (pi.codeconstruct.com.au [203.29.241.158])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9B29614147F
        for <linux-kernel@vger.kernel.org>; Mon, 14 Feb 2022 16:53:56 -0800 (PST)
Received: from pecola.lan (unknown [159.196.93.152])
        by mail.codeconstruct.com.au (Postfix) with ESMTPSA id ED1BC2015A;
        Tue, 15 Feb 2022 08:44:57 +0800 (AWST)
Message-ID: <daabe69d3863caa62f7874a472edbf2bc892d99e.camel@codeconstruct.com.au>
Subject: Re: [PATCH] mctp: fix use after free
From:   Jeremy Kerr <jk@codeconstruct.com.au>
To:     trix@redhat.com, matt@codeconstruct.com.au, davem@davemloft.net,
        kuba@kernel.org, nathan@kernel.org, ndesaulniers@google.com
Cc:     netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        llvm@lists.linux.dev
Date:   Tue, 15 Feb 2022 08:44:57 +0800
In-Reply-To: <20220214175138.2902947-1-trix@redhat.com>
References: <20220214175138.2902947-1-trix@redhat.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.42.3-1 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,KHOP_HELO_FCRDNS,
        SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Tom,

> Clang static analysis reports this problem
> route.c:425:4: warning: Use of memory after it is freed
>   trace_mctp_key_acquire(key);
>   ^~~~~~~~~~~~~~~~~~~~~~~~~~~
> When mctp_key_add() fails, key is freed but then is later
> used in trace_mctp_key_acquire().  Add an else statement
> to use the key only when mctp_key_add() is successful.

Looks good to me, thanks for the fix.

However, the Fixes tag will need an update; at the point of 
4a992bbd3650 ("mctp: Implement message fragmentation"), there was no
use of 'key' after the kfree() there.

Instead, this is the hunk that introduced the trace event:

  @@ -365,12 +368,16 @@
                          if (rc)
                                  kfree(key);
   
  +                       trace_mctp_key_acquire(key);
  +
                          /* we don't need to release key->lock on exit */
                          key = NULL;
 
- which is from 4f9e1ba6de45. The unref() comes in later, but the
initial uaf is caused by this change.

So, I'd suggest this instead:

Fixes: 4f9e1ba6de45 ("mctp: Add tracepoints for tag/key handling")

(this just means we need the fix for 5.16+, rather than 5.15+).

Also, can you share how you're doing the clang static analysis there?
I'll get that included in my checks too.

Cheers,


Jeremy