net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback

[PATCH] net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback

Pavel Zhigulin posted 1 patch 9 hours ago

Download mbox

.../net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

Expand all Fold all

[PATCH] net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback

Posted by Pavel Zhigulin 9 hours ago

In ch_ipsec_xfrm_add_state() there is not check of try_module_get
return value. It is very unlikely, but try_module_get() could return
false value, which could cause use-after-free error.

This fix adds checking the result of try_module_get call

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 6dad4e8ab3ec ("chcr: Add support for Inline IPSec")
Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
---
 .../net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
index ecd9a0bd5e18..3a5277630afa 100644
--- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
+++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
@@ -35,6 +35,8 @@
  *	Atul Gupta (atul.gupta@chelsio.com)
  */

+#include "asm-generic/errno-base.h"
+#include "linux/compiler.h"
 #define pr_fmt(fmt) "ch_ipsec: " fmt

 #include <linux/kernel.h>
@@ -301,7 +303,8 @@ static int ch_ipsec_xfrm_add_state(struct net_device *dev,
 		sa_entry->esn = 1;
 	ch_ipsec_setkey(x, sa_entry);
 	x->xso.offload_handle = (unsigned long)sa_entry;
-	try_module_get(THIS_MODULE);
+	if (unlikely(!try_module_get(THIS_MODULE)))
+		res = -ENODEV;
 out:
 	return res;
 }
--
2.43.0