Created attachment 224929 [details] returns error message if sli_cmd_common_nop() failed Bug File: sys/dev/ocs_fc/ocs_hw.c In function ocs_hw_async_call, if sli_cmd_common_nop() failed, ctx will be freed via ocs_free() at line 11,800. But the freed ctx is used in the later callee ocs_hw_command(.., ctx->cmd, ..., ctx), which is a use after free bug. If the later callee ocs_hw_command() failed, the freed ctx is freed again via ocs_free() at line 11,806, which is a double free bug. My patch returns the error message if sli_cmd_common_nop() failed, to avoid the later uaf and double free bugs.
Created attachment 225301 [details] return OCS_HW_RTN_ERROR during failure.
Thanks for reporting the issue. Made some changes to your patch to directly return failure. Please let me know if you want me to check-in these changes.
(In reply to Ram Kishore Vegesna from comment #2) Ok, thanks.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=7377d3831bc8abec2d6e5fee359d7383d4551feb commit 7377d3831bc8abec2d6e5fee359d7383d4551feb Author: Ram Kishore Vegesna <ram@FreeBSD.org> AuthorDate: 2021-05-28 05:51:10 +0000 Commit: Ram Kishore Vegesna <ram@FreeBSD.org> CommitDate: 2021-05-28 05:51:10 +0000 ocs_fc: Fix use after free bug in ocs_hw_async_call() Freed ctx is used in the later callee ocs_hw_command(), which is a use after free bug. Return error if sli_cmd_common_nop() failed. PR: 255865 Reported by: lylgood@foxmail.com Approved by:: markj sys/dev/ocs_fc/ocs_hw.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=fa3e66e9f7cd903050454fc284e2709a9e28e651 commit fa3e66e9f7cd903050454fc284e2709a9e28e651 Author: Ram Kishore Vegesna <ram@FreeBSD.org> AuthorDate: 2021-05-28 05:51:10 +0000 Commit: Ram Kishore Vegesna <ram@FreeBSD.org> CommitDate: 2021-12-17 09:45:59 +0000 ocs_fc: Fix use after free bug in ocs_hw_async_call() Freed ctx is used in the later callee ocs_hw_command(), which is a use after free bug. Return error if sli_cmd_common_nop() failed. PR: 255865 Reported by: lylgood@foxmail.com Approved by:: markj (cherry picked from commit 7377d3831bc8abec2d6e5fee359d7383d4551feb) sys/dev/ocs_fc/ocs_hw.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=5749a57326068f073555a5c043befade7bc37abf commit 5749a57326068f073555a5c043befade7bc37abf Author: Ram Kishore Vegesna <ram@FreeBSD.org> AuthorDate: 2021-05-28 05:51:10 +0000 Commit: Ram Kishore Vegesna <ram@FreeBSD.org> CommitDate: 2021-12-17 10:12:25 +0000 ocs_fc: Fix use after free bug in ocs_hw_async_call() Freed ctx is used in the later callee ocs_hw_command(), which is a use after free bug. Return error if sli_cmd_common_nop() failed. PR: 255865 Reported by: lylgood@foxmail.com Approved by:: markj (cherry picked from commit 7377d3831bc8abec2d6e5fee359d7383d4551feb) sys/dev/ocs_fc/ocs_hw.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)