From patchwork Wed Aug  8 09:30:03 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hal Rosenstock <hal@dev.mellanox.co.il>
X-Patchwork-Id: 10559691
Return-Path: <linux-rdma-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 54A5114C0
	for <patchwork-linux-rdma@patchwork.kernel.org>;
 Wed,  8 Aug 2018 09:30:08 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 41EB62A978
	for <patchwork-linux-rdma@patchwork.kernel.org>;
 Wed,  8 Aug 2018 09:30:08 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 366152A9A2; Wed,  8 Aug 2018 09:30:08 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham
 version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B9D9B2A978
	for <patchwork-linux-rdma@patchwork.kernel.org>;
 Wed,  8 Aug 2018 09:30:07 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726971AbeHHLs5 (ORCPT
        <rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
        Wed, 8 Aug 2018 07:48:57 -0400
Received: from mail-qk0-f196.google.com ([209.85.220.196]:34086 "EHLO
        mail-qk0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726927AbeHHLs5 (ORCPT
        <rfc822;linux-rdma@vger.kernel.org>); Wed, 8 Aug 2018 07:48:57 -0400
Received: by mail-qk0-f196.google.com with SMTP id b66-v6so1034542qkj.1
        for <linux-rdma@vger.kernel.org>;
 Wed, 08 Aug 2018 02:30:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=dev-mellanox-co-il.20150623.gappssmtp.com; s=20150623;
        h=to:cc:from:subject:message-id:date:user-agent:mime-version
         :content-language:content-transfer-encoding;
        bh=XEEJ+VvTFhx/Dxzj3J5rnyBjVWJXsuVo5q+B28vMI88=;
        b=UpsyTIyrFdGRVtPk+ZJo5Kulj8srHChdxu+xAU/S7nC1izgg9G/04hMtYr4lzyWplG
         sdaiimsRvw/UJjQUkXS+Hbz7VB+1uKPWGnxlG3mFQJQ+C2SYI3JzURycpkGDq9zqgMJq
         CwJl7cBZ/G/9ETZ53wdJq84PsAAW/4dFTHdGsi4pKiL/enuukjH8wKZvPGijp5kIf9xT
         JAiQLcjsTCgztwZxYlr60bHFABwpoWNzfA1FTS1bmjQD65Nlu0WGh6tUxNPzAvcAR1z9
         cYHKuzrZRkXHw3zGOIXGSeNvVm+OJQJJrvHCgZXcZ4S8zyf58Ww089QpOYzNk5oOcED1
         p9dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:to:cc:from:subject:message-id:date:user-agent
         :mime-version:content-language:content-transfer-encoding;
        bh=XEEJ+VvTFhx/Dxzj3J5rnyBjVWJXsuVo5q+B28vMI88=;
        b=i1I4XWGYi6BEvzezEATdaOKEagi9C5mlW414CKNxpyugu3ho4j3CnmC5oWgmHWbBa2
         jFsfqxly+aSbui9y5WO9yycS7NBbTw+lMLneNpzq+ltyK9ID0Lcd/NUmkhiKhX0ao4Hr
         4QZZvVXoLLRg0OfEmrZew3kkir4dXl95FKS6Oq4vUHwxGZPIjrabl7NLRQPqOgeJZtlY
         gka9ATZPkD+D3ozUdMQe9ni+uzIi65a9GOjoI9wLVN78VDBBHz95mHCBTYh/xmaZ9sS6
         3y2L9UTMMKgsamPlrifKBX8OzU1U9LugNHJ3hSEEBufZen6ePtqCLJht2FU2NIbPzT3S
         Nd6g==
X-Gm-Message-State: AOUpUlEyGwn0b2rPkxWt11ywcv0BqfmPnm0rVM1WzMGylFSU/LQg8ke/
        kSBCawCG4dvqIn5PVs8Zr/Ab6zg7yww=
X-Google-Smtp-Source: 
 AA+uWPwmqCMP1LDPPYFaVRBB4IKI++CCR1qNYlsKuE1Q/w6iRDPf31ogMrMUfl/NhC8w2VbV0lB+Rw==
X-Received: by 2002:a37:dc41:: with SMTP id
 v62-v6mr1631371qki.109.1533720605936;
        Wed, 08 Aug 2018 02:30:05 -0700 (PDT)
Received: from [192.168.1.183] (c-73-142-227-196.hsd1.ma.comcast.net.
 [73.142.227.196])
        by smtp.googlemail.com with ESMTPSA id
 d71-v6sm2305422qke.57.2018.08.08.02.30.05
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 08 Aug 2018 02:30:05 -0700 (PDT)
To: Honggang LI <honli@redhat.com>
Cc: "linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>
From: Hal Rosenstock <hal@dev.mellanox.co.il>
Subject: [PATCHv2 opensm] osm_sa_mcmember_record.c: Fix use after free in
 mcmr_rcv_join_mgrp
Message-ID: <9443fd34-fb39-2edb-0a65-8e782bd1e064@dev.mellanox.co.il>
Date: Wed, 8 Aug 2018 05:30:03 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
Content-Language: en-US
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The cleanup function frees p_mgrp before the osm_log() prints the GUID.

Issue was found by Coverity.

Error: USE_AFTER_FREE (CWE-825): [#def11]
opensm-3.3.20/opensm/osm_sa_mcmember_record.c:1340: freed_arg: "osm_mgrp_cleanup" frees "p_mgrp".
opensm-3.3.20/opensm/osm_multicast.c:184:2: freed_arg: "free" frees parameter "mgrp".
opensm-3.3.20/opensm/osm_sa_mcmember_record.c:1342: deref_after_free: Dereferencing freed pointer "p_mgrp".
|# 1340|   			osm_mgrp_cleanup(sa->p_subn, p_mgrp);
|# 1341|   		CL_PLOCK_RELEASE(sa->p_lock);
|# 1342|-> 		OSM_LOG(sa->p_log, OSM_LOG_ERROR, "ERR 1B12: "
|# 1343|   			"validate_more_comp_fields, validate_port_caps, "
|# 1344|   			"or JoinState = 0 failed for MGID: %s port 0x%016" PRIx64

Error: USE_AFTER_FREE (CWE-825): [#def12]
opensm-3.3.20/opensm/osm_sa_mcmember_record.c:1357: freed_arg: "osm_mgrp_cleanup" frees "p_mgrp".
opensm-3.3.20/opensm/osm_multicast.c:184:2: freed_arg: "free" frees parameter "mgrp".
opensm-3.3.20/opensm/osm_sa_mcmember_record.c:1360: deref_after_free: Dereferencing freed pointer "p_mgrp".
|# 1358|   		CL_PLOCK_RELEASE(sa->p_lock);
|# 1359|   		memset(gid_str, 0, sizeof(gid_str));
|# 1360|-> 		OSM_LOG(sa->p_log, OSM_LOG_ERROR, "ERR 1B14: "
|# 1361|   			"Cannot join port 0x%016" PRIx64 " to MGID %s - "
|# 1362|

Signed-off-by: Dan Ben Yosef <danby@mellanox.com>
Signed-off-by: Alex Netes <alexne@mellanox.com>
Signed-off-by: Hal Rosenstock <hal@mellanox.com>
Acked-by: Honggang Li <honli@redhat.com>
---
 opensm/osm_sa_mcmember_record.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/opensm/osm_sa_mcmember_record.c b/opensm/osm_sa_mcmember_record.c
index 9b94993..cf74308 100644
--- a/opensm/osm_sa_mcmember_record.c
+++ b/opensm/osm_sa_mcmember_record.c
@@ -1345,6 +1345,12 @@ static void mcmr_rcv_join_mgrp(IN osm_sa_t * sa, IN osm_madw_t * p_madw)
 	    || !validate_port_caps(sa->p_log, p_mgrp, p_physp)
 	    || !(join_state != 0)) {
 		char gid_str[INET6_ADDRSTRLEN];
+		memset(gid_str, 0, sizeof(gid_str));
+
+		/* get the gid_str before the cleanup, the cleanup can free the pointer */
+		inet_ntop(AF_INET6, p_mgrp->mcmember_rec.mgid.raw, gid_str,
+			  sizeof gid_str);
+
 		/* since we might have created the new group we need to cleanup */
 		if (is_new_group)
 			osm_mgrp_cleanup(sa->p_subn, p_mgrp);
@@ -1353,9 +1359,7 @@ static void mcmr_rcv_join_mgrp(IN osm_sa_t * sa, IN osm_madw_t * p_madw)
 			"validate_more_comp_fields, validate_port_caps, "
 			"or JoinState = 0 failed for MGID: %s port 0x%016" PRIx64
 			" (%s), sending IB_SA_MAD_STATUS_REQ_INVALID\n",
-			   inet_ntop(AF_INET6, p_mgrp->mcmember_rec.mgid.raw,
-				     gid_str, sizeof gid_str),
-			cl_ntoh64(portguid), p_port->p_node->print_desc);
+			gid_str, cl_ntoh64(portguid), p_port->p_node->print_desc);
 		osm_sa_send_error(sa, p_madw, IB_SA_MAD_STATUS_REQ_INVALID);
 		goto Exit;
 	}
@@ -1363,17 +1367,17 @@ static void mcmr_rcv_join_mgrp(IN osm_sa_t * sa, IN osm_madw_t * p_madw)
 	/* verify that the joining port is in the partition of the group */
 	if (!osm_physp_has_pkey(sa->p_log, p_mgrp->mcmember_rec.pkey, p_physp)) {
 		char gid_str[INET6_ADDRSTRLEN];
+		memset(gid_str, 0, sizeof(gid_str));
+		inet_ntop(AF_INET6, p_mgrp->mcmember_rec.mgid.raw, gid_str,
+			  sizeof(gid_str));
+
 		if (is_new_group)
 			osm_mgrp_cleanup(sa->p_subn, p_mgrp);
 		CL_PLOCK_RELEASE(sa->p_lock);
-		memset(gid_str, 0, sizeof(gid_str));
 		OSM_LOG(sa->p_log, OSM_LOG_ERROR, "ERR 1B14: "
 			"Cannot join port 0x%016" PRIx64 " to MGID %s - "
 			"Port is not in partition of this MC group\n",
-			cl_ntoh64(portguid),
-			inet_ntop(AF_INET6,
-				  p_mgrp->mcmember_rec.mgid.raw,
-				  gid_str, sizeof(gid_str)));
+			cl_ntoh64(portguid), gid_str);
 		osm_sa_send_error(sa, p_madw, IB_SA_MAD_STATUS_REQ_INVALID);
 		goto Exit;
 	}