linux/drivers/misc
David Fernandez Gonzalez 48b9a8dabc VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
When removing a resource from vmci_resource_table in
vmci_resource_remove(), the search is performed using the resource
handle by comparing context and resource fields.

It is possible though to create two resources with different types
but same handle (same context and resource fields).

When trying to remove one of the resources, vmci_resource_remove()
may not remove the intended one, but the object will still be freed
as in the case of the datagram type in vmci_datagram_destroy_handle().
vmci_resource_table will still hold a pointer to this freed resource
leading to a use-after-free vulnerability.

BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106
 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239
 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425
 kasan_report+0x38/0x51 mm/kasan/report.c:442
 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
 vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182
 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444
 kref_put include/linux/kref.h:65 [inline]
 vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline]
 vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195
 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143
 __fput+0x261/0xa34 fs/file_table.c:282
 task_work_run+0xf0/0x194 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187
 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220
 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline]
 syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313
 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x6e/0x0

This change ensures the type is also checked when removing
the resource from vmci_resource_table in vmci_resource_remove().

Fixes: bc63dedb7d ("VMCI: resource object implementation.")
Cc: stable@vger.kernel.org
Reported-by: George Kennedy <george.kennedy@oracle.com>
Signed-off-by: David Fernandez Gonzalez <david.fernandez.gonzalez@oracle.com>
Link: https://lore.kernel.org/r/20240828154338.754746-1-david.fernandez.gonzalez@oracle.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-09-03 13:16:42 +02:00
..
altera-stapl misc: add HAS_IOPORT dependencies 2023-05-29 15:05:00 +01:00
bcm-vk tty: bcm: convert to u8 and size_t 2023-12-08 12:02:37 +01:00
c2port c2port: replace deprecated strncpy with strscpy 2023-10-05 13:34:05 +02:00
cardreader misc: rtsx: do clear express reg every SD_INT 2024-05-04 19:00:51 +02:00
cb710 cb710: avoid NULL pointer subtraction 2021-10-05 15:50:05 +02:00
cxl cxl: Convert to platform remove callback returning void 2024-03-05 14:28:51 +00:00
echo
eeprom eeprom: ee1004: Fix locking issues in ee1004_probe() 2024-07-31 13:41:42 +02:00
genwqe mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER 2024-01-08 15:27:15 -08:00
ibmasm ibmasm: convert to new timestamp accessors 2023-10-18 13:26:16 +02:00
keba misc: keba: Fix sysfs group creation 2024-09-03 12:37:29 +02:00
lis3lv02d misc: lis3lv02d_i2c: Fix regulators getting en-/dis-abled twice on suspend/resume 2024-03-04 07:59:43 +01:00
lkdtm refcount: Report UAF for refcount_sub_and_test(0) when counter==0 2024-08-05 14:34:23 -07:00
mchp_pci1xxxx misc: microchip: pci1xxxx: Fix return value of nvmem callbacks 2024-07-03 16:37:33 +02:00
mei Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
ocxl powerpc updates for 6.8 2024-01-08 16:22:47 -08:00
pvpanic Linux 6.9-rc7 2024-05-08 19:21:51 +01:00
sgi-gru mm/treewide: replace pmd_large() with pmd_leaf() 2024-03-06 13:04:19 -08:00
sgi-xp sysctl-6.7-rc1 2023-11-01 20:51:41 -10:00
ti-st misc: ti-st: st_kim: use 'time_left' variable with wait_for_completion_interruptible_timeout() 2024-07-03 16:40:18 +02:00
uacce uacce: make uacce_class constant 2023-10-27 08:51:00 +02:00
vmw_vmci VMCI: Fix use-after-free when removing resource in vmci_resource_remove() 2024-09-03 13:16:42 +02:00
ad525x_dpot-i2c.c misc: Switch i2c drivers back to use .probe() 2023-05-29 15:04:52 +01:00
ad525x_dpot-spi.c spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
ad525x_dpot.c misc: ad525x_dpot: Make ad_dpot_remove() return void 2021-10-13 14:35:37 +02:00
ad525x_dpot.h misc: ad525x_dpot: Make ad_dpot_remove() return void 2021-10-13 14:35:37 +02:00
apds990x.c misc: Drop explicit initialization of struct i2c_device_id::driver_data to 0 2024-07-03 16:41:00 +02:00
apds9802als.c misc: Drop explicit initialization of struct i2c_device_id::driver_data to 0 2024-07-03 16:41:00 +02:00
atmel-ssc.c misc: atmel-ssc: Convert to platform remove callback returning void 2024-03-05 14:28:51 +00:00
bh1770glc.c misc: Drop explicit initialization of struct i2c_device_id::driver_data to 0 2024-07-03 16:41:00 +02:00
cs5535-mfgpt.c
ds1682.c misc: Drop explicit initialization of struct i2c_device_id::driver_data to 0 2024-07-03 16:41:00 +02:00
dummy-irq.c
dw-xdata-pcie.c dw-xdata: Remove usage of the deprecated ida_simple_*() API 2023-12-31 11:09:26 +00:00
enclosure.c drivers: remove struct module * setting from struct class 2023-03-17 15:16:27 +01:00
fastrpc.c misc: fastrpc: Fix double free of 'buf' in error path 2024-09-03 12:19:31 +02:00
gehc-achc.c misc: gehc-achc: Follow renaming of SPI "master" to "controller" 2024-02-08 11:54:43 +00:00
hi6421v600-irq.c misc: hi6421-spmi-pmic: Remove unused of_gpio.h 2024-03-05 14:28:41 +00:00
hisi_hikey_usb.c misc: hisi_hikey_usb: Convert to platform remove callback returning void 2024-03-05 14:28:52 +00:00
hmc6352.c misc: Drop explicit initialization of struct i2c_device_id::driver_data to 0 2024-07-03 16:41:00 +02:00
hpilo.c misc: hpilo: rename device creation loop variable 2024-01-30 16:19:43 -08:00
hpilo.h misc: hpilo: map iLO shared memory by PCI revision id 2021-06-04 15:28:23 +02:00
ibmvmc.c Char/Misc and other driver changes for 6.7-rc1 2023-11-03 14:51:08 -10:00
ibmvmc.h
ics932s401.c misc: Drop explicit initialization of struct i2c_device_id::driver_data to 0 2024-07-03 16:41:00 +02:00
isl29003.c misc: Drop explicit initialization of struct i2c_device_id::driver_data to 0 2024-07-03 16:41:00 +02:00
isl29020.c misc: Drop explicit initialization of struct i2c_device_id::driver_data to 0 2024-07-03 16:41:00 +02:00
Kconfig misc: mrvl-cn10k-dpi: add PCI_IOV dependency 2024-07-31 13:47:27 +02:00
kgdbts.c kgdbts: fix return value of __setup handler 2022-03-18 14:17:56 +01:00
lattice-ecp3-config.c spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
Makefile misc: mrvl-cn10k-dpi: add Octeon CN10K DPI administrative driver 2024-07-10 14:58:29 +02:00
mrvl_cn10k_dpi.c misc: mrvl-cn10k-dpi: add Octeon CN10K DPI administrative driver 2024-07-10 14:58:29 +02:00
nsm.c misc: nsm: drop owner assignment 2024-05-22 08:31:17 -04:00
ntsync.c ntsync: Introduce NTSYNC_IOC_SEM_POST. 2024-04-11 15:34:40 +02:00
open-dice.c misc: open-dice: add missing MODULE_DESCRIPTION() macro 2024-06-04 17:40:20 +02:00
pch_phub.c
pci_endpoint_test.c misc: pci_endpoint_test: Remove unused pci_endpoint_test_bar_{readl,writel} functions 2024-07-09 17:58:54 -05:00
phantom.c misc: phantom: make phantom_class constant 2023-10-25 11:07:11 +02:00
qcom-coincell.c misc: Explicitly include correct DT includes 2023-08-04 15:39:04 +02:00
smpro-errmon.c misc: smpro-errmon: Remove the unneeded include <linux/i2c.h> 2023-05-31 19:00:10 +01:00
smpro-misc.c misc: smpro-misc: Add Ampere's Altra SMpro misc driver 2022-11-10 19:03:03 +01:00
sram-exec.c mm: Introduce set_memory_rox() 2022-12-15 10:37:26 -08:00
sram.c misc: sram: Convert to platform remove callback returning void 2024-03-05 14:28:52 +00:00
sram.h misc: sram: Improve and simplify clk handling 2023-03-09 17:31:53 +01:00
tifm_7xx1.c misc: tifm: use 'time_left' variable with wait_for_completion_timeout() 2024-07-03 16:40:18 +02:00
tifm_core.c driver core: have match() callback in struct bus_type take a const * 2024-07-03 15:16:54 +02:00
tps6594-esm.c Merge 6.5-rc6 into char-misc-next 2023-08-13 22:14:51 +02:00
tps6594-pfsm.c misc: tps6594-pfsm: Add TI TPS65224 PMIC PFSM 2024-05-03 10:07:07 +01:00
tsl2550.c misc: Drop explicit initialization of struct i2c_device_id::driver_data to 0 2024-07-03 16:41:00 +02:00
vcpu_stall_detector.c misc: Register a PPI for the vcpu stall detection virtual device 2024-07-04 12:31:22 +02:00
vmw_balloon.c vmw_balloon: dynamically allocate the vmw-balloon shrinker 2023-10-04 10:32:25 -07:00
xilinx_sdfec.c misc: xilinx_sdfec: Convert to platform remove callback returning void 2024-03-05 14:28:52 +00:00
xilinx_tmr_inject.c misc: xilinx_tmr_inject: Convert to platform remove callback returning void 2024-03-05 14:28:53 +00:00
xilinx_tmr_manager.c misc: Explicitly include correct DT includes 2023-08-04 15:39:04 +02:00