1
linux/drivers/pci
Mostafa Saleh 9eee533065 PCI/MSI: Fix UAF in msi_capability_init
KFENCE reports the following UAF:

 BUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488

 Use-after-free read at 0x0000000024629571 (in kfence-#12):
  __pci_enable_msi_range+0x2c0/0x488
  pci_alloc_irq_vectors_affinity+0xec/0x14c
  pci_alloc_irq_vectors+0x18/0x28

 kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128

 allocated by task 81 on cpu 7 at 10.808142s:
  __kmem_cache_alloc_node+0x1f0/0x2bc
  kmalloc_trace+0x44/0x138
  msi_alloc_desc+0x3c/0x9c
  msi_domain_insert_msi_desc+0x30/0x78
  msi_setup_msi_desc+0x13c/0x184
  __pci_enable_msi_range+0x258/0x488
  pci_alloc_irq_vectors_affinity+0xec/0x14c
  pci_alloc_irq_vectors+0x18/0x28

 freed by task 81 on cpu 7 at 10.811436s:
  msi_domain_free_descs+0xd4/0x10c
  msi_domain_free_locked.part.0+0xc0/0x1d8
  msi_domain_alloc_irqs_all_locked+0xb4/0xbc
  pci_msi_setup_msi_irqs+0x30/0x4c
  __pci_enable_msi_range+0x2a8/0x488
  pci_alloc_irq_vectors_affinity+0xec/0x14c
  pci_alloc_irq_vectors+0x18/0x28

Descriptor allocation done in:
__pci_enable_msi_range
    msi_capability_init
        msi_setup_msi_desc
            msi_insert_msi_desc
                msi_domain_insert_msi_desc
                    msi_alloc_desc
                        ...

Freed in case of failure in __msi_domain_alloc_locked()
__pci_enable_msi_range
    msi_capability_init
        pci_msi_setup_msi_irqs
            msi_domain_alloc_irqs_all_locked
                msi_domain_alloc_locked
                    __msi_domain_alloc_locked => fails
                    msi_domain_free_locked
                        ...

That failure propagates back to pci_msi_setup_msi_irqs() in
msi_capability_init() which accesses the descriptor for unmasking in the
error exit path.

Cure it by copying the descriptor and using the copy for the error exit path
unmask operation.

[ tglx: Massaged change log ]

Fixes: bf6e054e0e ("genirq/msi: Provide msi_device_populate/destroy_sysfs()")
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Bjorn Heelgas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240624203729.1094506-1-smostafa@google.com
2024-06-24 23:33:38 +02:00
..
controller Merge branch 'pci/controller/tegra194' 2024-05-16 18:14:13 -05:00
endpoint Merge branch 'pci/endpoint' 2024-05-16 18:14:13 -05:00
hotplug PCI: hotplug: Remove obsolete sgi_hotplug TODO notes 2024-05-03 16:26:50 -05:00
msi PCI/MSI: Fix UAF in msi_capability_init 2024-06-24 23:33:38 +02:00
pcie pci-v6.10-changes 2024-05-21 10:09:28 -07:00
switch PCI: switchtec: Fix an error handling path in switchtec_pci_probe() 2024-02-08 15:35:38 -06:00
access.c PCI: Revert the cfg_access_lock lockdep mechanism 2024-06-04 12:10:05 -05:00
ats.c
bus.c PCI/ASPM: Fix deadlock when enabling ASPM 2024-01-31 09:03:51 -06:00
devres.c PCI: Move devres code from pci.c to devres.c 2024-02-12 10:36:17 -06:00
doe.c PCI/DOE: Support discovery version 2 2024-04-09 09:33:15 -05:00
ecam.c
host-bridge.c
iomap.c PCI: Move pci_iomap.c to drivers/pci/ 2024-02-12 10:35:40 -06:00
iov.c
irq.c PCI: Place interrupt related code into irq.c 2024-01-29 17:01:31 -06:00
Kconfig PCI: Move pci_iomap.c to drivers/pci/ 2024-02-12 10:35:40 -06:00
Makefile Merge branch 'pci/sysfs' 2024-03-12 12:14:23 -05:00
mmap.c PCI/sysfs: Compile pci-sysfs.c only if CONFIG_SYSFS=y 2024-03-05 16:08:43 -06:00
of_property.c PCI: of_property: Return error for int_map allocation failure 2024-05-02 17:15:01 -05:00
of.c
p2pdma.c PCI/P2PDMA: Fix a sleeping issue in a RCU read section 2024-02-08 15:31:43 -06:00
pci-acpi.c
pci-bridge-emul.c
pci-bridge-emul.h
pci-driver.c Merge branch 'pci/misc' 2024-03-12 12:14:24 -05:00
pci-label.c
pci-mid.c
pci-pf-stub.c
pci-stub.c
pci-sysfs.c PCI/sysfs: Demacrofy pci_dev_resource_resize_attr(n) functions 2024-03-05 16:10:17 -06:00
pci.c PCI: Revert the cfg_access_lock lockdep mechanism 2024-06-04 12:10:05 -05:00
pci.h PCI: Make pcie_bandwidth_capable() static 2024-05-08 19:03:55 -05:00
probe.c PCI: Revert the cfg_access_lock lockdep mechanism 2024-06-04 12:10:05 -05:00
proc.c
quirks.c pci-v6.10-changes 2024-05-21 10:09:28 -07:00
remove.c
rom.c
search.c
setup-bus.c
setup-res.c
slot.c
syscall.c
vc.c
vgaarb.c
vpd.c
xen-pcifront.c