Bug 255868 - [PATCH] dev/qlnx/qlnxe: Fix a use after free in ecore_spq_post
Summary: [PATCH] dev/qlnx/qlnxe: Fix a use after free in ecore_spq_post
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: Mark Johnston
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2021-05-14 11:35 UTC by lylgood
Modified: 2022-10-17 12:36 UTC (History)
2 users (show)

See Also:

Attachments
change *p_ent to **p_ent in ecore_spq_add_entry() (2.56 KB, patch)
2021-05-14 11:35 UTC, lylgood 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description lylgood 2021-05-14 11:35:52 UTC 
Created attachment 224932 [details]
change *p_ent to **p_ent in ecore_spq_add_entry()

Bug File: sys/dev/qlnx/qlnxe/ecore_spq.c

In function ecore_spq_post, p_ent could be freed via ecore_spq_add_entry(..,p_ent,..)->OSAL_FREE(..,p_ent).
At the spq_post_fail brach, the freed p_ent is still used by
__ecore_spq_return_entry(p_hwfn, p_ent), which is a use after free bug.

The root of this uaf bug is that, p_ent is freed in function ecore_spq_add_entry() but failed to be reset to p_en2 by "p_ent = p_en2;". The p_ent passed to ecore_spq_add_entry() should be **p_ent, instead of *p_ent.

My patch fixs that error by a new variable p_en1.
Comment 1 Mark Johnston freebsd_committer freebsd_triage 2021-05-26 14:07:49 UTC 
David, could you please take a look?
Comment 2 Mark Johnston freebsd_committer freebsd_triage 2021-06-02 14:11:45 UTC 
https://reviews.freebsd.org/D30612
Comment 3 Graham Perrin freebsd_committer freebsd_triage 2022-10-17 12:36:17 UTC 
Keyword: 

    patch
or  patch-ready

– in lieu of summary line prefix: 

    [patch]

* bulk change for the keyword
* summary lines may be edited manually (not in bulk). 

Keyword descriptions and search interface: 

    <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>