Re: [PATCH rdma-next] IB/umad: Fix use-after-free in cdev_put

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Dec 24, 2018 at 03:30:57PM +0200, Gal Pressman wrote:
> On 24-Dec-18 11:16, Leon Romanovsky wrote:
> > From: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> >
> > Misplaced kfree causes to the following use-after-free error.
> >
> > [2018-12-11 22:40:58] BUG: KASAN: use-after-free in cdev_put.part.1+0x40/0x50
> > [2018-12-11 22:40:58] Read of size 8 at addr ffff8881b8bb6890 by task opensm/9230
> > [2018-12-11 22:40:58]
> > [2018-12-11 22:40:58] CPU: 0 PID: 9230 Comm: opensm Tainted: G OE     4.20.0-rc6-for-upstream-dbg-2018-12-11_06-14-26-54 #1
> > [2018-12-11 22:40:58] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
> > [2018-12-11 22:40:58] Call Trace:
> > [2018-12-11 22:40:58]  dump_stack+0x9a/0xeb
> > [2018-12-11 22:40:58]  print_address_description+0xe3/0x2e0
> > [2018-12-11 22:40:58]  kasan_report+0x16b/0x2f0
> > [2018-12-11 22:40:58]  ? cdev_put.part.1+0x40/0x50
> > [2018-12-11 22:40:58]  ? ib_umad_close+0x33b/0x470 [ib_umad]
> > [2018-12-11 22:40:58]  cdev_put.part.1+0x40/0x50
> > [2018-12-11 22:40:58]  __fput+0x5fe/0x7a0
> > [2018-12-11 22:40:58]  task_work_run+0x10d/0x180
> > [2018-12-11 22:40:58]  do_exit+0x798/0x29d0
> > [2018-12-11 22:40:58]  ? plist_check_list+0x3c/0x90
> > [2018-12-11 22:40:58]  ? mm_update_next_owner+0x680/0x680
> > [2018-12-11 22:40:58]  ? memset+0x1f/0x40
> > [2018-12-11 22:40:58]  ? __dequeue_signal+0x351/0x6f0
> > [2018-12-11 22:40:58]  ? dequeue_signal+0x8c/0x4e0
> > [2018-12-11 22:40:58]  ? check_flags.part.26+0x440/0x440
> > [2018-12-11 22:40:58]  ? __dequeue_signal+0x6f0/0x6f0
> > [2018-12-11 22:40:58]  do_group_exit+0xed/0x2b0
> > [2018-12-11 22:40:58]  get_signal+0x572/0x14d0
> > [2018-12-11 22:40:58]  ? do_futex+0x5d8/0xef0
> > [2018-12-11 22:40:58]  do_signal+0x97/0x15f0
> > [2018-12-11 22:40:58]  ? __pmd_alloc+0x270/0x270
> > [2018-12-11 22:40:58]  ? check_flags.part.26+0x440/0x440
> > [2018-12-11 22:40:58]  ? do_mprotect_pkey+0x14a/0x870
> > [2018-12-11 22:40:58]  ? setup_sigcontext+0x820/0x820
> > [2018-12-11 22:40:58]  ? __x64_sys_futex+0x254/0x300
> > [2018-12-11 22:40:58]  ? __do_page_fault+0x295/0xaf0
> > [2018-12-11 22:40:58]  ? __ia32_sys_futex+0x350/0x350
> > [2018-12-11 22:40:58]  ? up_read+0x136/0x180
> > [2018-12-11 22:40:58]  exit_to_usermode_loop+0x9a/0x150
> > [2018-12-11 22:40:58]  do_syscall_64+0x368/0x410
> > [2018-12-11 22:40:58]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > [2018-12-11 22:40:58] RIP: 0033:0x7f752b10ec3b
> > [2018-12-11 22:40:58] Code: Bad RIP value.
> > [2018-12-11 22:40:58] RSP: 002b:00007f7529b01e10 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> > [2018-12-11 22:40:58] RAX: fffffffffffffe00 RBX: 00007ffd72c323e0 RCX: 00007f752b10ec3b
> > [2018-12-11 22:40:58] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007ffd72c32408
> > [2018-12-11 22:40:58] RBP: 00007ffd72c32404 R08: 0000000000000000 R09: 0000000000000000
> > [2018-12-11 22:40:58] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd72c32408
> > [2018-12-11 22:40:58] R13: 0000000000000000 R14: 00007ffd72c32410 R15: 000000000000003e
> > [2018-12-11 22:40:58]
> > [2018-12-11 22:40:58] Allocated by task 8558:
> > [2018-12-11 22:40:58]  kasan_kmalloc+0xa0/0xd0
> > [2018-12-11 22:40:58]  __kmalloc+0x183/0x3f0
> > [2018-12-11 22:40:58]  ib_umad_add_one+0xcf/0xb30 [ib_umad]
> > [2018-12-11 22:40:58]  ib_register_client+0x74/0x190 [ib_core]
> > [2018-12-11 22:40:58]  0xffffffffa0ae00a5
> > [2018-12-11 22:40:58]  do_one_initcall+0xa3/0x487
> > [2018-12-11 22:40:58]  do_init_module+0x1b2/0x59c
> > [2018-12-11 22:40:58]  load_module+0x4191/0x5f70
> > [2018-12-11 22:40:58]  __do_sys_finit_module+0x192/0x1c0
> > [2018-12-11 22:40:58]  do_syscall_64+0x95/0x410
> > [2018-12-11 22:40:58]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > [2018-12-11 22:40:58]
> > [2018-12-11 22:40:58] Freed by task 9230:
> > [2018-12-11 22:40:58]  __kasan_slab_free+0x11d/0x160
> > [2018-12-11 22:40:58]  kfree+0xf5/0x2f0
> > [2018-12-11 22:40:58]  ib_umad_close+0x33b/0x470 [ib_umad]
> > [2018-12-11 22:40:58]  __fput+0x24f/0x7a0
> > [2018-12-11 22:40:58]  task_work_run+0x10d/0x180
> > [2018-12-11 22:40:58]  do_exit+0x798/0x29d0
> > [2018-12-11 22:40:58]  do_group_exit+0xed/0x2b0
> > [2018-12-11 22:40:58]  get_signal+0x572/0x14d0
> > [2018-12-11 22:40:58]  do_signal+0x97/0x15f0
> > [2018-12-11 22:40:58]  exit_to_usermode_loop+0x9a/0x150
> > [2018-12-11 22:40:58]  do_syscall_64+0x368/0x410
> > [2018-12-11 22:40:58]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > [2018-12-11 22:40:58]
> > [2018-12-11 22:40:58] The buggy address belongs to the object at ffff8881b8bb6848
> > [2018-12-11 22:40:58]  which belongs to the cache kmalloc-4k of size 4096
> > [2018-12-11 22:40:58] The buggy address is located 72 bytes inside of
> > [2018-12-11 22:40:58]  4096-byte region [ffff8881b8bb6848, ffff8881b8bb7848)
> > [2018-12-11 22:40:58] The buggy address belongs to the page:
> > [2018-12-11 22:40:58] page:ffffea0006e2ec00 count:1 mapcount:0 mapping:ffff8882e9c0e6c0 index:0x0 compound_mapcount: 0
> > [2018-12-11 22:40:58] flags: 0x2fffff80010200(slab|head)
> > [2018-12-11 22:40:58] raw: 002fffff80010200 ffffea0007b77c08 ffffea000b94b408 ffff8882e9c0e6c0
> > [2018-12-11 22:40:58] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
> > [2018-12-11 22:40:58] page dumped because: kasan: bad access detected
> > [2018-12-11 22:40:58]
> > [2018-12-11 22:40:58] Memory state around the buggy address:
> > [2018-12-11 22:40:58]  ffff8881b8bb6780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > [2018-12-11 22:40:58]  ffff8881b8bb6800: fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb
> > [2018-12-11 22:40:58] >ffff8881b8bb6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > [2018-12-11 22:40:58]                          ^
> > [2018-12-11 22:40:58]  ffff8881b8bb6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > [2018-12-11 22:40:58]  ffff8881b8bb6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > [2018-12-11 22:40:58]
> >
> > Fixes: 954d57348f68 ("IB/umad: Refactor code to use cdev_device_add()")
>
> Hi Leon,
> Should this be:
> e9dd5daf884c ("IB/umad: Refactor code to use cdev_device_add()")?

You are right, Thanks.

>
> > Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> > ---
> >  drivers/infiniband/core/user_mad.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
> > index 1a90012b5542..6929796e35e6 100644
> > --- a/drivers/infiniband/core/user_mad.c
> > +++ b/drivers/infiniband/core/user_mad.c
> > @@ -1031,8 +1031,8 @@ static int ib_umad_close(struct inode *inode, struct file *filp)
> >
> >  	mutex_unlock(&file->port->file_mutex);
> >
> > -	kfree(file);
> >  	ib_umad_dev_put(dev);
> > +	kfree(file);
> >  	return 0;
> >  }
> >
> >
>

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux