Commit 6ccd0329 authored Nov 14, 2024 by Chun-Yi Lee Committed by Zicheng Qu Nov 14, 2024

aoe: fix the potential use-after-free problem in more places

stable inclusion
from stable-v5.10.227
commit f63461af2c1a86af4217910e47a5c46e3372e645
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9W
CVE: CVE-2024-49982

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f63461af2c1a86af4217910e47a5c46e3372e645

--------------------------------

commit 6d6e54fc71ad1ab0a87047fd9c211e75d86084a3 upstream.

For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential
use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put()
instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs
into use-after-free.

Then Nicolai Stange found more places in aoe have potential use-after-free
problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe()
and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push
packet to tx queue. So they should also use dev_hold() to increase the
refcnt of skb->dev.

On the other hand, moving dev_put() to tx() causes that the refcnt of
skb->dev be reduced to a negative value, because corresponding
dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(),
probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.

Cc: stable@vger.kernel.org
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270


Fixes: f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts")
Reported-by: Nicolai Stange <nstange@suse.com>
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
Link: https://lore.kernel.org/stable/20240624064418.27043-1-jlee%40suse.com
Link: https://lore.kernel.org/r/20241002035458.24401-1-jlee@suse.com


Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Zicheng Qu <quzicheng@huawei.com>

parent 53677a49

drivers/block/aoe/aoecmd.c

+12 −1

Original line number	Diff line number	Diff line
		@@ -362,6 +362,7 @@ ata_rw_frameinit(struct frame *f)
		}

		ah->cmdstat = ATA_CMD_PIO_READ \| writebit \| extbit;
		dev_hold(t->ifp->nd);
		skb->dev = t->ifp->nd;
		}

		@@ -402,6 +403,8 @@ aoecmd_ata_rw(struct aoedev *d)
		__skb_queue_head_init(&queue);
		__skb_queue_tail(&queue, skb);
		aoenet_xmit(&queue);
		} else {
		dev_put(f->t->ifp->nd);
		}
		return 1;
		}
		@@ -484,10 +487,13 @@ resend(struct aoedev d, struct frame f)
		memcpy(h->dst, t->addr, sizeof h->dst);
		memcpy(h->src, t->ifp->nd->dev_addr, sizeof h->src);

		dev_hold(t->ifp->nd);
		skb->dev = t->ifp->nd;
		skb = skb_clone(skb, GFP_ATOMIC);
		if (skb == NULL)
		if (skb == NULL) {
		dev_put(t->ifp->nd);
		return;
		}
		f->sent = ktime_get();
		__skb_queue_head_init(&queue);
		__skb_queue_tail(&queue, skb);
		@@ -618,6 +624,8 @@ probe(struct aoetgt *t)
		__skb_queue_head_init(&queue);
		__skb_queue_tail(&queue, skb);
		aoenet_xmit(&queue);
		} else {
		dev_put(f->t->ifp->nd);
		}
		}

		@@ -1403,6 +1411,7 @@ aoecmd_ata_id(struct aoedev *d)
		ah->cmdstat = ATA_CMD_ID_ATA;
		ah->lba3 = 0xa0;

		dev_hold(t->ifp->nd);
		skb->dev = t->ifp->nd;

		d->rttavg = RTTAVG_INIT;
		@@ -1412,6 +1421,8 @@ aoecmd_ata_id(struct aoedev *d)
		skb = skb_clone(skb, GFP_ATOMIC);
		if (skb)
		f->sent = ktime_get();
		else
		dev_put(t->ifp->nd);

		return skb;
		}