On Fri, Jan 18, 2019 at 03:10:39PM -0800, Fred Klassen wrote:
> Some IPMI modules (e.g. ibmpex_msg_handler()) will have ipmi_usr_hdlr
> handlers that call ipmi_free_recv_msg() directly. This will essentially
> kfree(msg), leading to use-after-free.
>
> This does not happen in the ipmi_devintf module, which will queue the
> message and run ipmi_free_recv_msg() later.
>
> BUG: KASAN: use-after-free in deliver_response+0x12f/0x1b0
> Read of size 8 at addr ffff888a7bf20018 by task ksoftirqd/3/27
> CPU: 3 PID: 27 Comm: ksoftirqd/3 Tainted: G O 4.19.11-amd64-ani99-debug #12.0.1.601133+pv
> Hardware name: AppNeta r1000/X11SPW-TF, BIOS 2.1a-AP 09/17/2018
> Call Trace:
> dump_stack+0x92/0xeb
> print_address_description+0x73/0x290
> kasan_report+0x258/0x380
> deliver_response+0x12f/0x1b0
> ? ipmi_free_recv_msg+0x50/0x50
> deliver_local_response+0xe/0x50
> handle_one_recv_msg+0x37a/0x21d0
> handle_new_recv_msgs+0x1ce/0x440
> ...
>
> Allocated by task 9885:
> kasan_kmalloc+0xa0/0xd0
> kmem_cache_alloc_trace+0x116/0x290
> ipmi_alloc_recv_msg+0x28/0x70
> i_ipmi_request+0xb4a/0x1640
> ipmi_request_settime+0x1b8/0x1e0
> ...
>
> Freed by task 27:
> __kasan_slab_free+0x12e/0x180
> kfree+0xe9/0x280
> deliver_response+0x122/0x1b0
> deliver_local_response+0xe/0x50
> handle_one_recv_msg+0x37a/0x21d0
> handle_new_recv_msgs+0x1ce/0x440
> tasklet_action_common.isra.19+0xc4/0x250
> __do_softirq+0x11f/0x51f
>
> Fixes: e86ee2d44b4 ("ipmi: Rework locking and shutdown for hot remove")
> Signed-off-by: Fred Klassen <fklassen@xxxxxxxxxxx>
>
> ---
> drivers/char/ipmi/ipmi_msghandler.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
<formletter>
This is not the correct way to submit patches for inclusion in the
stable kernel tree. Please read:
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.
</formletter>
