From patchwork Thu Jan  5 09:14:46 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Artem Bityutskiy <dedekind1@gmail.com>
X-Patchwork-Id: 134448
Return-Path: 
 <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from merlin.infradead.org (merlin.infradead.org
	[IPv6:2001:4978:20e::2])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id E26B31007D6
	for <incoming@patchwork.ozlabs.org>;
	Thu,  5 Jan 2012 20:13:45 +1100 (EST)
Received: from localhost ([::1] helo=merlin.infradead.org)
	by merlin.infradead.org with esmtp (Exim 4.76 #1 (Red Hat Linux))
	id 1RijNM-0002XX-Of; Thu, 05 Jan 2012 09:12:44 +0000
Received: from mail-tul01m020-f177.google.com ([209.85.214.177])
	by merlin.infradead.org with esmtps (Exim 4.76 #1 (Red Hat Linux))
	id 1RijNK-0002X4-7Z
	for linux-mtd@lists.infradead.org; Thu, 05 Jan 2012 09:12:42 +0000
Received: by obcwn1 with SMTP id wn1so366621obc.36
	for <linux-mtd@lists.infradead.org>;
	Thu, 05 Jan 2012 01:12:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=message-id:subject:from:reply-to:to:cc:date:in-reply-to:references
	:content-type:x-mailer:mime-version;
	bh=8VGZ+N5Xs2P93NzWN+ftwZZ0+SSgRR+eTBj8rAeVeUw=;
	b=fiOOzbwsNNPkFJrZX5W1JHKDxJVpsZ1glG4c83O5Z4P9BxdHQen7gPytTnBgY+hADo
	XRnEpAflNeUiEVmaSPytXAgxdYHH9liAgRav41BjptWwIZoGAm0/E/IAHcQZHFgaJTag
	wY903Yfb+T2P+UC5jxndaCeE35jpzcbB09VLA=
Received: by 10.50.42.167 with SMTP id p7mr1429838igl.20.1325754759718;
	Thu, 05 Jan 2012 01:12:39 -0800 (PST)
Received: from [127.0.0.1] ([134.134.139.76]) by mx.google.com with ESMTPS id
	va6sm23008382igc.6.2012.01.05.01.12.35
	(version=TLSv1/SSLv3 cipher=OTHER);
	Thu, 05 Jan 2012 01:12:38 -0800 (PST)
Message-ID: <1325754886.6755.20.camel@sauron.fi.intel.com>
Subject: Re: possible use-after-free in drivers/mtd/ubi/wl.c: erase_worker
From: Artem Bityutskiy <dedekind1@gmail.com>
To: Emese Revfy <re.emese@gmail.com>
Date: Thu, 05 Jan 2012 11:14:46 +0200
In-Reply-To: <20120104003446.695fd426@gmail.com>
References: <20120104003446.695fd426@gmail.com>
X-Mailer: Evolution 3.2.2 (3.2.2-1.fc16) 
Mime-Version: 1.0
X-Spam-Note: CRM114 invocation failed
X-Spam-Score: -2.5 (--)
X-Spam-Report: SpamAssassin version 3.3.2 on merlin.infradead.org summary:
	Content analysis details:   (-2.5 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/,
	low trust [209.85.214.177 listed in list.dnswl.org]
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
	provider (dedekind1[at]gmail.com)
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends
	in digit (dedekind1[at]gmail.com)
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Cc: linux-mtd@lists.infradead.org, dwmw2@infradead.org,
	linux-kernel@vger.kernel.org
X-BeenThere: linux-mtd@lists.infradead.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: dedekind1@gmail.com
List-Id: Linux MTD discussion mailing list <linux-mtd.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-mtd/>
List-Post: <mailto:linux-mtd@lists.infradead.org>
List-Help: <mailto:linux-mtd-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=subscribe>
Sender: linux-mtd-bounces@lists.infradead.org
Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Well-spotted, thanks. I've just pushed this patch to the UBIFS git tree:


From: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Subject: [PATCH] UBI: fix use-after-free on error path

When we fail to erase a PEB, we free the corresponding erase entry object,
but then re-schedule this object if the error code was something like -EAGAIN.
Obviously, it is a bug to use the object after we have freed it.

Reported-by: Emese Revfy <re.emese@gmail.com>
Cc: stable@kernel.org [v2.6.23+]
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
---
 drivers/mtd/ubi/wl.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
index 42c684c..036d213 100644
--- a/drivers/mtd/ubi/wl.c
+++ b/drivers/mtd/ubi/wl.c
@@ -1049,7 +1049,6 @@ static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
 
 	ubi_err("failed to erase PEB %d, error %d", pnum, err);
 	kfree(wl_wrk);
-	kmem_cache_free(ubi_wl_entry_slab, e);
 
 	if (err == -EINTR || err == -ENOMEM || err == -EAGAIN ||
 	    err == -EBUSY) {
@@ -1062,14 +1061,16 @@ static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
 			goto out_ro;
 		}
 		return err;
-	} else if (err != -EIO) {
+	}
+
+	kmem_cache_free(ubi_wl_entry_slab, e);
+	if (err != -EIO)
 		/*
 		 * If this is not %-EIO, we have no idea what to do. Scheduling
 		 * this physical eraseblock for erasure again would cause
 		 * errors again and again. Well, lets switch to R/O mode.
 		 */
 		goto out_ro;
-	}
 
 	/* It is %-EIO, the PEB went bad */