oss-sec mailing list archives
Re: Use After Free and Double Free bugs in Linux Kernel mainline
From: John Haxby <john.haxby () oracle com>
Date: Wed, 17 Mar 2021 12:40:41 +0000
This one isn't a security bug:
On 17 Mar 2021, at 11:53, lyl2019 () mail ustc edu cn wrote: Bug2: nvme/rdma: Fix a use after free in nvmet_rdma_write_data_done Commit Url: https://github.com/torvalds/linux/commit/abec6561fc4e0fbb19591a0b35676d8c783b5493 In nvmet_rdma_write_data_done, rsp is recoverd by wc->wr_cqe and freed by nvmet_rdma_release_rsp(). But after that, pr_info() used the freed chunk's member object and could leak the freed chunk address with wc->wr_cqe by computing the offset. drivers/nvme/target/rdma.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c index 06b6b742bb21..6c1f3ab7649c 100644 --- a/drivers/nvme/target/rdma.c +++ b/drivers/nvme/target/rdma.c @@ -802,9 +802,8 @@ static void nvmet_rdma_write_data_done(struct ib_cq *cq, struct ib_wc *wc) nvmet_req_uninit(&rsp->req); nvmet_rdma_release_rsp(rsp); if (wc->status != IB_WC_WR_FLUSH_ERR) { - pr_info("RDMA WRITE for CQE 0x%p failed with status %s (%d).\n", - wc->wr_cqe, ib_wc_status_msg(wc->status), - wc->status); + pr_info("RDMA WRITE for CQE failed with status %s (%d).\n", + ib_wc_status_msg(wc->status), wc->status); nvmet_rdma_error_comp(queue); } return;
Commit ad67b74d2469 ("printk: hash addresses printed with %p") back in 2017 made '%p' a non-security issue. That commit noted that there were approximately 14,000 places in the kernel where there was an address printed with %p. Rather than 14,000 CVEs :) this was fixed once and once only by that commit. That's not to say that this "0x%p" doesn't have a problem: for a start you don't need the "0x" because %p prints one anyway. That point is moot, though, because no one objected to just removing the pointer. The commit message is wrong though: it doesn't leak an address. jch
Current thread:
- Use After Free and Double Free bugs in Linux Kernel mainline lyl2019 (Mar 17)
- Re: Use After Free and Double Free bugs in Linux Kernel mainline John Haxby (Mar 17)
- Re: Use After Free and Double Free bugs in Linux Kernel mainline Greg KH (Mar 17)