Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp3481488pxp; Tue, 8 Mar 2022 15:34:10 -0800 (PST) X-Google-Smtp-Source: ABdhPJwzcsGuNknyJVBiPa13z+3UHPEeRGDp1C6qmHk83bfot2Q0K0S2RU9oLOMhENwAAi0Ts4Fj X-Received: by 2002:a63:d711:0:b0:373:d6e7:e78c with SMTP id d17-20020a63d711000000b00373d6e7e78cmr16179319pgg.121.1646782450023; Tue, 08 Mar 2022 15:34:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646782450; cv=none; d=google.com; s=arc-20160816; b=PZrj/WmnJ99y/eThj71cAAY8rlp50efSAA0YLlxNqIrsqZ65+wpcSp94pRVPCt23hO PkmvYgt5jg50IJ/pSV/2pixPq2ri6Gt+Pgzc3kPWxI5O+ekWC4sz2RfZ5LqsZqtFjGlw Fi7DOhnEVj1IzfOE3rLAfpj8Ae3SQWRXczymcPEzGNsabcPy2RVc0n1rkKOjmXdaouNN 0/rrMm7UZ3DqMab+Bq6iDKVn8CKFPp+8wHAJ3lBuKPbQkKfFeLxlPmN77Bm9oqcycAKd ArIa7HP/jIe7xs+F8iRHEfvfR5E6lt1K1gS0Z4srrhu3RFRuN+FeA/iY3a2rQLrrG76B ED3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=8pkICFhiQrDMR5XEgxN0JP/tBSupmgqyH9KAmeTxGhc=; b=nj406GbH+EHPnbOpHFsZB+HvJ05Ns11yY2qF5sbtPVU3Sy9YE/7lkM5OSBBbVE6ZpP HQIdtwvfhZ1Ya757nRZq4b+GfTRQ8fBh90XQX0TwwEf7W2A9qq8aY9znfe1F0fvCL3JU q4Mg43bxDJK0xBJMql/LoUdk1Ol0VIfYDsHBFp7XtmI0sjxh7QO8wZgdvk7Tg+CWu4Jy pVw+45CoTfMqYpM1fi80f2t67gcNHHxNCSocZ+AFdqfoCOB6PEJuU54EsvyA07PRuF4c IfYgKd1AlUFQPVuGQ6/9sg+rRRgRV6lEN8VuoqwXwWnlsSEn5W17Em2gQVqGkRaiWN2H hfCA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lunn.ch header.s=20171124 header.b=P7zkpwUP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id n4-20020a170902e54400b00151bf332ad4si326977plf.2.2022.03.08.15.34.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Mar 2022 15:34:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@lunn.ch header.s=20171124 header.b=P7zkpwUP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 99BF281188; Tue, 8 Mar 2022 15:21:52 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240391AbiCHNn5 (ORCPT + 99 others); Tue, 8 Mar 2022 08:43:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50566 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244061AbiCHNnz (ORCPT ); Tue, 8 Mar 2022 08:43:55 -0500 Received: from vps0.lunn.ch (vps0.lunn.ch [185.16.172.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 607A0630A; Tue, 8 Mar 2022 05:42:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lunn.ch; s=20171124; h=In-Reply-To:Content-Disposition:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:From:Sender:Reply-To:Subject: Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Content-Disposition:In-Reply-To:References; bh=8pkICFhiQrDMR5XEgxN0JP/tBSupmgqyH9KAmeTxGhc=; b=P7zkpwUPfx+xcaFbChLscMHDY5 uPlaT9EMJ20vfU48hKN0tg6p61J3YzJjIpXv3fw0dpFG6HY4qTv540lZzpU6inifzsV8KN9z4pKea 6WJ8Wpx83f1oxFut+KcMxsVp3GjQSJrpSECGka/OrSTBYSupSVsmeSuzy2328cROcu8M=; Received: from andrew by vps0.lunn.ch with local (Exim 4.94.2) (envelope-from ) id 1nRa6u-009noG-43; Tue, 08 Mar 2022 14:42:44 +0100 Date: Tue, 8 Mar 2022 14:42:44 +0100 From: Andrew Lunn To: Jianglei Nie Cc: davem@davemloft.net, kuba@kernel.org, caihuoqing@baidu.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] net: arc_emac: Fix use after free in arc_mdio_probe() Message-ID: References: <20220308111005.4953-1-niejianglei2021@163.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220308111005.4953-1-niejianglei2021@163.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 08, 2022 at 07:10:05PM +0800, Jianglei Nie wrote: > If bus->state is equal to MDIOBUS_ALLOCATED, mdiobus_free(bus) will free > the "bus". But bus->name is still used in the next line, which will lead > to a use after free. > > We can fix it by putting the bus->name in a local variable and then use > the name in the error message without referring to bus to avoid the uaf. > > Signed-off-by: Jianglei Nie > --- > drivers/net/ethernet/arc/emac_mdio.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/ethernet/arc/emac_mdio.c b/drivers/net/ethernet/arc/emac_mdio.c > index 9acf589b1178..33fd63d227ef 100644 > --- a/drivers/net/ethernet/arc/emac_mdio.c > +++ b/drivers/net/ethernet/arc/emac_mdio.c > @@ -134,6 +134,7 @@ int arc_mdio_probe(struct arc_emac_priv *priv) > struct device_node *np = priv->dev->of_node; > struct mii_bus *bus; > int error; > + const char *name = "Synopsys MII Bus"; Netdev uses reverse christmass tree, meaning you need to sort variables longest to shortest. I'm also wondering about the lifetime of name. name itself is a stack variable, so it will disappear as soon as the function exits. The string itself is in the rodata section. But is a copy made onto the stack, or does bus->name point to the rodata? Andrew > bus = mdiobus_alloc(); > if (!bus) > @@ -142,7 +143,7 @@ int arc_mdio_probe(struct arc_emac_priv *priv) > priv->bus = bus; > bus->priv = priv; > bus->parent = priv->dev; > - bus->name = "Synopsys MII Bus"; > + bus->name = name; > bus->read = &arc_mdio_read; > bus->write = &arc_mdio_write; > bus->reset = &arc_mdio_reset; > @@ -167,7 +168,7 @@ int arc_mdio_probe(struct arc_emac_priv *priv) > if (error) { > mdiobus_free(bus); > return dev_err_probe(priv->dev, error, > - "cannot register MDIO bus %s\n", bus->name); > + "cannot register MDIO bus %s\n", name); > } > > return 0; > -- > 2.25.1 >