ernel.org
> 主题: Re: [PATCH] net/rds: Fix a use after free in rds_message_map_pages
>
> From: Lv Yunlong
> Date: Tue, 30 Mar 2021 03:16:02 -0700
>
> > @@ -348,7 +348,7 @@ struct rds_message *rds_message_map_pages(unsigned long
> > *page_addrs, unsigned in
> >
From: Lv Yunlong
Date: Tue, 30 Mar 2021 03:16:02 -0700
> @@ -348,7 +348,7 @@ struct rds_message *rds_message_map_pages(unsigned long
> *page_addrs, unsigned in
> rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs);
> if (IS_ERR(rm->data.op_sg)) {
> rds_message_put(rm);
In rds_message_map_pages, the rm is freed by rds_message_put(rm).
But rm is still used by rm->data.op_sg in return value.
My patch replaces ERR_CAST(rm->data.op_sg) to ERR_PTR(-ENOMEM) to avoid
the uaf.
Fixes: 7dba92037baf3 ("net/rds: Use ERR_PTR for rds_message_alloc_sgs()")
Signed-off-by: Lv Yu
送: netdev@vger.kernel.org, linux-r...@vger.kernel.org,
> rds-de...@oss.oracle.com, linux-ker...@vger.kernel.org, "Lv Yunlong"
>
> 主题: [PATCH] net/rds: Fix a use after free in rds_message_map_pages
>
> In rds_message_map_pages, rds_message_put() will free rm.
In rds_message_map_pages, rds_message_put() will free rm.
Maybe store the value of rm->data.op_sg ahead of rds_message_put()
is better. Otherwise other threads could allocate the freed chunk
and may change the value of rm->data.op_sg.
Signed-off-by: Lv Yunlong
---
net/rds/message.c | 3 ++-
1 fi
