Hi,
On Mon, Jul 12, 2021 at 03:40:46PM -0700, Xiaochen Zou wrote:
> Hi,
> It looks like there are multiple use-after-free accesses in
> j1939_session_deactivate()
>
> static bool j1939_session_deactivate(struct j1939_session *session)
> {
> bool active;
>
> j1939_session_list_lock(session->priv);
> active = j1939_session_deactivate_locked(session); //session can be freed inside
> j1939_session_list_unlock(session->priv); // It causes UAF read and write
>
> return active;
> }
>
> session can be freed by
> j1939_session_deactivate_locked->j1939_session_put->__j1939_session_release->j1939_session_destroy->kfree.
> Therefore it makes the unlock function perform UAF access.
Potentially I would agree, but this function takes "session" as
property. Any function which provided session pointer should
care about own ref counting. If described scenarios really happens, then
there is problem on other place. Was you able to reproduce it?
Regards,
Oleksij
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
