commit 9eee5330656bf92f51cb1f09b2dc9f8cf975b3d1 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

PCI/MSI: Fix UAF in msi_capability_init

KFENCE reports the following UAF:

BUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488

Use-after-free read at 0x0000000024629571 (in kfence-#12):
__pci_enable_msi_range+0x2c0/0x488
pci_alloc_irq_vectors_affinity+0xec/0x14c
pci_alloc_irq_vectors+0x18/0x28

kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128

allocated by task 81 on cpu 7 at 10.808142s:
__kmem_cache_alloc_node+0x1f0/0x2bc
kmalloc_trace+0x44/0x138
msi_alloc_desc+0x3c/0x9c
msi_domain_insert_msi_desc+0x30/0x78
msi_setup_msi_desc+0x13c/0x184
__pci_enable_msi_range+0x258/0x488
pci_alloc_irq_vectors_affinity+0xec/0x14c
pci_alloc_irq_vectors+0x18/0x28

freed by task 81 on cpu 7 at 10.811436s:
msi_domain_free_descs+0xd4/0x10c
msi_domain_free_locked.part.0+0xc0/0x1d8
msi_domain_alloc_irqs_all_locked+0xb4/0xbc
pci_msi_setup_msi_irqs+0x30/0x4c
__pci_enable_msi_range+0x2a8/0x488
pci_alloc_irq_vectors_affinity+0xec/0x14c
pci_alloc_irq_vectors+0x18/0x28

Descriptor allocation done in:
__pci_enable_msi_range
msi_capability_init
msi_setup_msi_desc
msi_insert_msi_desc
msi_domain_insert_msi_desc
msi_alloc_desc
...

Freed in case of failure in __msi_domain_alloc_locked()
__pci_enable_msi_range
msi_capability_init
pci_msi_setup_msi_irqs
msi_domain_alloc_irqs_all_locked
msi_domain_alloc_locked
__msi_domain_alloc_locked => fails
msi_domain_free_locked
...

That failure propagates back to pci_msi_setup_msi_irqs() in
msi_capability_init() which accesses the descriptor for unmasking in the
error exit path.

Cure it by copying the descriptor and using the copy for the error exit path
unmask operation.

[ tglx: Massaged change log ]

Fixes: bf6e054e0e3f ("genirq/msi: Provide msi_device_populate/destroy_sysfs()")
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Bjorn Heelgas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240624203729.1094506-1-smostafa@google.com

authored by Mostafa Saleh and committed by Thomas Gleixner 2 years ago 9eee5330 a9c3ee5d

+8 -2

1 changed file

expand all

unified split

drivers

pci

msi

msi.c

+8 -2

drivers/pci/msi/msi.c

··· 352 struct irq_affinity *affd) 353 { 354 struct irq_affinity_desc *masks = NULL; 355 - struct msi_desc *entry; 356 int ret; 357 358 /* Reject multi-MSI early on irq domain enabled architectures */ ··· 377 /* All MSIs are unmasked by default; mask them all */ 378 entry = msi_first_desc(&dev->dev, MSI_DESC_ALL); 379 pci_msi_mask(entry, msi_multi_mask(entry)); 380 381 /* Configure MSI capability structure */ 382 ret = pci_msi_setup_msi_irqs(dev, nvec, PCI_CAP_ID_MSI); ··· 402 goto unlock; 403 404 err: 405 - pci_msi_unmask(entry, msi_multi_mask(entry)); 406 pci_free_msi_irqs(dev); 407 fail: 408 dev->msi_enabled = 0;

··· 352 struct irq_affinity *affd) 353 { 354 struct irq_affinity_desc *masks = NULL; 355 + struct msi_desc *entry, desc; 356 int ret; 357 358 /* Reject multi-MSI early on irq domain enabled architectures */ ··· 377 /* All MSIs are unmasked by default; mask them all */ 378 entry = msi_first_desc(&dev->dev, MSI_DESC_ALL); 379 pci_msi_mask(entry, msi_multi_mask(entry)); 380 + /* 381 + * Copy the MSI descriptor for the error path because 382 + * pci_msi_setup_msi_irqs() will free it for the hierarchical 383 + * interrupt domain case. 384 + */ 385 + memcpy(&desc, entry, sizeof(desc)); 386 387 /* Configure MSI capability structure */ 388 ret = pci_msi_setup_msi_irqs(dev, nvec, PCI_CAP_ID_MSI); ··· 396 goto unlock; 397 398 err: 399 + pci_msi_unmask(&desc, msi_multi_mask(&desc)); 400 pci_free_msi_irqs(dev); 401 fail: 402 dev->msi_enabled = 0;