Created attachment 224930 [details] add a new variable ocs Bug File: sys/dev/ocs_fc/ocs_sport.c In function ocs_sport_free, domain could be freed via ocs_domain_post_event(domain,..)->ocs_domain_free(domain)->ocs_free(ocs, domain, sizeof(*domain)). But the freed domain is still used by domain->ocs at line 266 via ocs_free(domain->ocs, sport, sizeof(*sport)). My patch adds a new variable ocs and sets ocs =domain->ocs before domain can be free, to avoid the uaf bug.
Ram, could you please take a look at this and PR 255865?
Created attachment 225300 [details] Use ocs from sport.
Thanks for reporting the issue. I think the attached patch will avoid new variable. Please let me know if you want me to check-in the changes.
(In reply to Ram Kishore Vegesna from comment #3) Yes, i think your patch is better.
(In reply to Ram Kishore Vegesna from comment #3) Thanks for the quick reply. Yes, please go ahead and commit. Be sure to include "PR:" tags in the commit log message.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=dd722ccd6efcaed5c6056e51a044db7f1a5b4a0d commit dd722ccd6efcaed5c6056e51a044db7f1a5b4a0d Author: Ram Kishore Vegesna <ram@FreeBSD.org> AuthorDate: 2021-05-28 05:26:13 +0000 Commit: Ram Kishore Vegesna <ram@FreeBSD.org> CommitDate: 2021-05-28 05:26:13 +0000 ocs_fc: Fix a use after free in ocs_sport_free Domain which could be freed is used while freeing the sport. Use ocs from sport. PR: 255866 Reported by: lylgood@foxmail.com Approved by:: markj sys/dev/ocs_fc/ocs_sport.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Are there plans to backport this patch to stable/12?
(In reply to dave from comment #7) As of now, I don't have plans to backport this change. Will merge if any customer is facing the issue.
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=241d1376550452d2da5eb80e9ee5d84ae567dd7b commit 241d1376550452d2da5eb80e9ee5d84ae567dd7b Author: Ram Kishore Vegesna <ram@FreeBSD.org> AuthorDate: 2021-05-28 05:26:13 +0000 Commit: Ram Kishore Vegesna <ram@FreeBSD.org> CommitDate: 2021-12-17 09:45:59 +0000 ocs_fc: Fix a use after free in ocs_sport_free Domain which could be freed is used while freeing the sport. Use ocs from sport. PR: 255866 Reported by: lylgood@foxmail.com Approved by:: markj (cherry picked from commit dd722ccd6efcaed5c6056e51a044db7f1a5b4a0d) sys/dev/ocs_fc/ocs_sport.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=f7a7748afc1ccec9c10a08ce86d882528a0410e3 commit f7a7748afc1ccec9c10a08ce86d882528a0410e3 Author: Ram Kishore Vegesna <ram@FreeBSD.org> AuthorDate: 2021-05-28 05:26:13 +0000 Commit: Ram Kishore Vegesna <ram@FreeBSD.org> CommitDate: 2021-12-17 10:12:09 +0000 ocs_fc: Fix a use after free in ocs_sport_free Domain which could be freed is used while freeing the sport. Use ocs from sport. PR: 255866 Reported by: lylgood@foxmail.com Approved by:: markj (cherry picked from commit dd722ccd6efcaed5c6056e51a044db7f1a5b4a0d) sys/dev/ocs_fc/ocs_sport.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)