Re: [Openipmi-developer] [PATCH v2] ipmi_si: fix use-after-free of resource->name

Corey Minyard <minyard@xxxxxxx> · Sat, 26 Jan 2019 09:08:09 -0600

On Sat, Jan 26, 2019 at 05:14:54PM +0800, Yang Yingliang wrote:
> When we excute the following commands, we got oops
> rmmod ipmi_si
> cat /proc/ioports
> 

snip..

> 
> If io_setup is called successful in try_smi_init() but try_smi_init()
> goes out_err before calling ipmi_register_smi(), so ipmi_unregister_smi()
> will not be called while removing module. It leads to the resource that
> allocated in io_setup() can not be freed, but the name(DEVICE_NAME) of
> resource is freed while removing the module. It causes use-after-free
> when cat /proc/ioports.
> 
> Fix this by calling io_cleanup() while try_smi_init() goes to out_err
> and don't call release_region() if request_region() is not called to
> avoid error prints.
> 
> Fixes: 93c303d2045b ("ipmi_si: Clean up shutdown a bit")
> Cc: stable@xxxxxxxxxxxxxxx
> Reported-by: NuoHan Qiao <qiaonuohan@xxxxxxxxxx>
> Suggested-by: Corey Minyard <cminyard@xxxxxxxxxx>
> Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx>
> ---
>  drivers/char/ipmi/ipmi_si_intf.c    | 5 +++++
>  drivers/char/ipmi/ipmi_si_port_io.c | 3 +++
>  2 files changed, 8 insertions(+)
> 
> diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
> index dc8603d..f1b9fda 100644
> --- a/drivers/char/ipmi/ipmi_si_intf.c
> +++ b/drivers/char/ipmi/ipmi_si_intf.c
> @@ -2085,6 +2085,11 @@ static int try_smi_init(struct smi_info *new_smi)
>  	WARN_ON(new_smi->io.dev->init_name != NULL);
>  
>   out_err:
> +	if (rv && new_smi->io.io_cleanup) {
> +		new_smi->io.io_cleanup(&new_smi->io);
> +		new_smi->io.io_cleanup = NULL;
> +	}
> +
>  	kfree(init_name);
>  	return rv;
>  }
> diff --git a/drivers/char/ipmi/ipmi_si_port_io.c b/drivers/char/ipmi/ipmi_si_port_io.c
> index ef6dffc..0c46a3f 100644
> --- a/drivers/char/ipmi/ipmi_si_port_io.c
> +++ b/drivers/char/ipmi/ipmi_si_port_io.c
> @@ -53,6 +53,9 @@ static void port_cleanup(struct si_sm_io *io)
>  	unsigned int addr = io->addr_data;
>  	int          idx;
>  
> +	if (io->regsize != 1 && io->regsize != 2 && io->regsize != 4)
> +		return;
> +

Why do you need this part?  I can't see the reason for it.  The addr
part below should handle that, especially with the above change.

-corey

>  	if (addr) {
>  		for (idx = 0; idx < io->io_size; idx++)
>  			release_region(addr + idx * io->regspacing,
> -- 
> 1.8.3
> 
> 
> 
> 
> _______________________________________________
> Openipmi-developer mailing list
> Openipmi-developer@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openipmi-developer