linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-05 16:37:50 +00:00

History

Zheyu Ma 829933ef05 firewire: nosy: Fix a use-after-free bug in nosy_ioctl() For each device, the nosy driver allocates a pcilynx structure. A use-after-free might happen in the following scenario: 1. Open nosy device for the first time and call ioctl with command NOSY_IOC_START, then a new client A will be malloced and added to doubly linked list. 2. Open nosy device for the second time and call ioctl with command NOSY_IOC_START, then a new client B will be malloced and added to doubly linked list. 3. Call ioctl with command NOSY_IOC_START for client A, then client A will be readded to the doubly linked list. Now the doubly linked list is messed up. 4. Close the first nosy device and nosy_release will be called. In nosy_release, client A will be unlinked and freed. 5. Close the second nosy device, and client A will be referenced, resulting in UAF. The root cause of this bug is that the element in the doubly linked list is reentered into the list. Fix this bug by adding a check before inserting a client. If a client is already in the linked list, don't insert it. The following KASAN report reveals it: BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210 Write of size 8 at addr ffff888102ad7360 by task poc CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: nosy_release+0x1ea/0x210 __fput+0x1e2/0x840 task_work_run+0xe8/0x180 exit_to_user_mode_prepare+0x114/0x120 syscall_exit_to_user_mode+0x1d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae Allocated by task 337: nosy_open+0x154/0x4d0 misc_open+0x2ec/0x410 chrdev_open+0x20d/0x5a0 do_dentry_open+0x40f/0xe80 path_openat+0x1cf9/0x37b0 do_filp_open+0x16d/0x390 do_sys_openat2+0x11d/0x360 __x64_sys_open+0xfd/0x1a0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 337: kfree+0x8f/0x210 nosy_release+0x158/0x210 __fput+0x1e2/0x840 task_work_run+0xe8/0x180 exit_to_user_mode_prepare+0x114/0x120 syscall_exit_to_user_mode+0x1d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380) [ Modified to use 'list_empty()' inside proper lock - Linus ] Link: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/ Reported-and-tested-by: 马哲宇 (Zheyu Ma) <zheyuma97@gmail.com> Signed-off-by: Zheyu Ma <zheyuma97@gmail.com> Cc: Greg Kroah-Hartman <greg@kroah.com> Cc: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>		2021-04-04 14:05:45 -07:00
..
accessibility
acpi	Merge branches 'acpi-tables' and 'acpi-scan'	2021-04-02 16:57:56 +02:00
amba
android
ata
atm	module: remove never implemented MODULE_SUPPORTED_DEVICE	2021-03-17 13:16:18 -07:00
auxdisplay	auxdisplay: Remove in_interrupt() usage.	2021-03-16 16:32:40 +01:00
base	Driver core fix for 5.12-rc6	2021-04-03 10:14:47 -07:00
bcma
block	block-5.12-2021-04-02	2021-04-02 16:13:13 -07:00
bluetooth	module: remove never implemented MODULE_SUPPORTED_DEVICE	2021-03-17 13:16:18 -07:00
bus	Fixes for omaps for v5.12-rc cycle	2021-03-18 23:52:27 +01:00
cdrom
char	module: remove never implemented MODULE_SUPPORTED_DEVICE	2021-03-17 13:16:18 -07:00
clk	clk: qcom: gcc-sc7180: Use floor ops for the correct sdcc1 clk	2021-03-13 13:00:05 -08:00
clocksource
connector
counter
cpufreq	cpufreq: Fix scaling_{available,boost}_frequencies_show() comments	2021-03-26 17:43:48 +01:00
cpuidle
crypto
cxl
dax
dca
devfreq
dio
dma
dma-buf
edac
eisa
extcon	extcon: Fix error handling in extcon_dev_register	2021-03-15 11:09:38 +09:00
firewire	firewire: nosy: Fix a use-after-free bug in nosy_ioctl()	2021-04-04 14:05:45 -07:00
firmware	Another couple of EFI fixes for v5.12-rc:	2021-03-19 14:23:46 +01:00
fpga
fsi
gnss
gpio	gpiolib: Assign fwnode to parent's if no primary one provided	2021-03-16 10:18:08 +01:00
gpu	drm/imx: imx-drm-core and imx-ldb fixes	2021-04-02 04:53:16 +10:00
greybus
hid
hsi
hv
hwmon
hwspinlock
hwtracing
i2c
i3c
ide
idle
iio	First set of IIO and counter fixes for the 5.12 cycle	2021-03-15 16:34:39 +01:00
infiniband	RDMA 5.12 second rc pull request	2021-03-25 11:23:35 -07:00
input	module: remove never implemented MODULE_SUPPORTED_DEVICE	2021-03-17 13:16:18 -07:00
interconnect	interconnect: Fix kerneldoc warning	2021-03-18 23:46:21 +02:00
iommu	iommu/tegra-smmu: Make tegra_smmu_probe_device() to handle all IOMMU phandles	2021-03-18 11:31:12 +01:00
ipack
irqchip
isdn	isdn: capi: fix mismatched prototypes	2021-03-22 16:51:11 -07:00
leds
lightnvm
macintosh
mailbox
mcb
md	dm ioctl: fix out of bounds array access when no devices	2021-03-26 14:51:50 -04:00
media	module: remove never implemented MODULE_SUPPORTED_DEVICE	2021-03-17 13:16:18 -07:00
memory
memstick
message
mfd	mfd: intel_quark_i2c_gpio: Revert "Constify static struct resources"	2021-03-23 09:14:12 +00:00
misc	mei: allow map and unmap of client dma buffer only for disconnected client	2021-03-23 15:15:15 +01:00
mmc
most
mtd	module: remove never implemented MODULE_SUPPORTED_DEVICE	2021-03-17 13:16:18 -07:00
mux
net	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2021-03-24 18:16:04 -07:00
nfc
ntb
nubus
nvdimm
nvme	nvmet-tcp: fix kmap leak when data digest in use	2021-03-18 05:39:18 +01:00
nvmem
of
opp	opp: Don't drop extra references to OPPs accidentally	2021-03-12 09:26:52 +05:30
parisc
parport	module: remove never implemented MODULE_SUPPORTED_DEVICE	2021-03-17 13:16:18 -07:00
pci	powerpc fixes for 5.12 #4	2021-03-21 10:57:35 -07:00
pcmcia
perf	perf/arm_dmc620_pmu: Fix error return code in dmc620_pmu_device_probe()	2021-03-12 11:30:31 +00:00
phy
pinctrl	intel-pinctrl for v5.12-3	2021-03-30 00:46:49 +02:00
platform	platform/x86: intel_pmc_core: Ignore GBE LTR on Tiger Lake platforms	2021-03-23 21:50:14 +01:00
pnp
power
powercap
pps
ps3
ptp	ptp_qoriq: fix overflow in ptp_qoriq_adjfine() u64 calcalation	2021-03-24 12:10:03 -07:00
pwm
rapidio
ras
regulator
remoteproc
reset
rpmsg
rtc
s390	module: remove never implemented MODULE_SUPPORTED_DEVICE	2021-03-17 13:16:18 -07:00
sbus	module: remove never implemented MODULE_SUPPORTED_DEVICE	2021-03-17 13:16:18 -07:00
scsi	SCSI fixes on 20210402	2021-04-03 09:07:35 -07:00
sh	module: remove never implemented MODULE_SUPPORTED_DEVICE	2021-03-17 13:16:18 -07:00
siox
slimbus
soc	OpenRISC fix for 5.12	2021-04-03 15:42:45 -07:00
soundwire
spi
spmi
ssb
staging	staging: rtl8192e: Change state information from u16 to u8	2021-03-23 13:32:40 +01:00
target	scsi: target: pscsi: Clean up after failure in pscsi_map_sg()	2021-03-24 23:19:23 -04:00
tc
tee	module: remove never implemented MODULE_SUPPORTED_DEVICE	2021-03-17 13:16:18 -07:00
thermal	thermal/core: Add NULL pointer check before using cooling device stats	2021-03-17 09:55:58 +01:00
thunderbolt
tty	Serial driver fix for 5.12-rc6	2021-04-03 10:00:53 -07:00
uio
usb	usb: dwc2: Prevent core suspend when port connection flag is 0	2021-03-26 14:51:34 +01:00
vdpa	vdpa_sim: Skip typecasting from void*	2021-03-14 04:37:36 -04:00
vfio	vfio/nvlink: Add missing SPAPR_TCE_IOMMU depends	2021-03-29 14:48:00 -06:00
vhost	virtio: fixes, cleanups	2021-03-18 11:20:35 -07:00
video	hyperv-fixes for 5.12-rc6	2021-04-03 10:42:20 -07:00
virt
virtio	virtio: fixes, cleanups	2021-03-18 11:20:35 -07:00
visorbus
vlynq
vme
w1
watchdog	module: remove never implemented MODULE_SUPPORTED_DEVICE	2021-03-17 13:16:18 -07:00
xen	xen: branch for v5.12-rc5	2021-03-26 11:15:25 -07:00
zorro
Kconfig
Makefile