From patchwork Tue Aug  7 13:44:03 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hal Rosenstock <hal@dev.mellanox.co.il>
X-Patchwork-Id: 10558729
Return-Path: <linux-rdma-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 973A214E5
	for <patchwork-linux-rdma@patchwork.kernel.org>;
 Tue,  7 Aug 2018 13:44:07 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 85C5227F94
	for <patchwork-linux-rdma@patchwork.kernel.org>;
 Tue,  7 Aug 2018 13:44:07 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7A1EE2868C; Tue,  7 Aug 2018 13:44:07 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham
 version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0C44A27F94
	for <patchwork-linux-rdma@patchwork.kernel.org>;
 Tue,  7 Aug 2018 13:44:07 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389271AbeHGP63 (ORCPT
        <rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
        Tue, 7 Aug 2018 11:58:29 -0400
Received: from mail-qk0-f193.google.com ([209.85.220.193]:36639 "EHLO
        mail-qk0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2389269AbeHGP63 (ORCPT
        <rfc822;linux-rdma@vger.kernel.org>); Tue, 7 Aug 2018 11:58:29 -0400
Received: by mail-qk0-f193.google.com with SMTP id x192-v6so11422460qkb.3
        for <linux-rdma@vger.kernel.org>;
 Tue, 07 Aug 2018 06:44:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=dev-mellanox-co-il.20150623.gappssmtp.com; s=20150623;
        h=to:cc:from:subject:message-id:date:user-agent:mime-version
         :content-language:content-transfer-encoding;
        bh=vDsicXSHpR1Er34+ZTL0UtNJwR2fLOAemldvHuEVy9w=;
        b=Lu+RDrG1VRH7ebPn8F4wzqUHOJ9uwBWAa6KF2LHnj4iT+sqkV4mT8+QYs0o0Rlp12h
         t4rm0SGObgiKHvEOwjZ8u60sRpxx1KraR59wGmo/uxnJjErzE00czR6bqDvVzhHgq1PN
         nB4eowWydEWkRFhA6ErWubTpBUk8UkUZJr0mGG1Ud1FoV30EllSfYpWavFosvaxD6Qc4
         kttRgx28uNNefOSQdsau/8HSBI8y41DzQXIIOcvIQ+JAIJ8smTxABgP48lXi7QQT83AF
         goHfWEyePsSCXF/hyaSyHDDWbqrBJru2uc0fzSVlkrNiMXXz4Cud7CqDHL0Krv7ap8EC
         nmXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:to:cc:from:subject:message-id:date:user-agent
         :mime-version:content-language:content-transfer-encoding;
        bh=vDsicXSHpR1Er34+ZTL0UtNJwR2fLOAemldvHuEVy9w=;
        b=Gy+t4MEjpmNRr2bqVlAhTVrcS7AURrDqvfwh34a2uNE8N30P0rfbZIi9/QnNLO2cHN
         w8SgwpMcXZK+CxTXC1gsQjgBjxtvn53M/9jlzr+ZT53Lm+lZJ+BIMKuBA+rksiD0RXsD
         deQclGxbVdd7fFFr/3V1GchCY69avg6MhBxsqMafCBA/LxcNiVQq1tOOKybZPce8Aq2u
         OdvsburHyVhVsiFzYQkuY1T0TuT7zon5u+1oJClYVIEh3dWNGufuJAAZj1j2epPWGuwd
         zm8P0FSp3UqyQ4PtipkozHiNzuVVjK211dPFqbH3S0Q9CetsJpG6mZ7Xz5Xwwuxll97i
         uihw==
X-Gm-Message-State: AOUpUlHcfdEXr0eQNgD3+/Hpc20X1wLL1mvkJ5CGVVr3m6Bk7wNp9DLu
        b96han9gYPUG9RkWsV+VTLR1CwGO0dw=
X-Google-Smtp-Source: 
 AAOMgpfUrIqyz8StD5ue+EvKHRVz2vZ4U3Za4dvthCT9531POAcwCuMyjs5ybCfdzSFosApGkYE6Gw==
X-Received: by 2002:a37:b307:: with SMTP id
 c7-v6mr17310965qkf.341.1533649444454;
        Tue, 07 Aug 2018 06:44:04 -0700 (PDT)
Received: from [192.168.1.183] (c-73-142-227-196.hsd1.ma.comcast.net.
 [73.142.227.196])
        by smtp.googlemail.com with ESMTPSA id
 r18-v6sm871961qtc.38.2018.08.07.06.44.03
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 07 Aug 2018 06:44:04 -0700 (PDT)
To: Honggang LI <honli@redhat.com>
Cc: "linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>
From: Hal Rosenstock <hal@dev.mellanox.co.il>
Subject: [PATCH opensm] osm_sa_mcmember_record.c: Fix use after free in
 mcmr_rcv_join_mgrp
Message-ID: <c20f68c4-bc1d-1304-3d41-1a8cd7c3fd89@dev.mellanox.co.il>
Date: Tue, 7 Aug 2018 09:44:03 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
Content-Language: en-US
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The cleanup function frees p_mgrp before the osm_log() prints the GUID.

Issue was found by Coverity.

Error: USE_AFTER_FREE (CWE-825): [#def11]
opensm-3.3.20/opensm/osm_sa_mcmember_record.c:1340: freed_arg: "osm_mgrp_cleanup" frees "p_mgrp".
opensm-3.3.20/opensm/osm_multicast.c:184:2: freed_arg: "free" frees parameter "mgrp".
opensm-3.3.20/opensm/osm_sa_mcmember_record.c:1342: deref_after_free: Dereferencing freed pointer "p_mgrp".
|# 1340|   			osm_mgrp_cleanup(sa->p_subn, p_mgrp);
|# 1341|   		CL_PLOCK_RELEASE(sa->p_lock);
|# 1342|-> 		OSM_LOG(sa->p_log, OSM_LOG_ERROR, "ERR 1B12: "
|# 1343|   			"validate_more_comp_fields, validate_port_caps, "
|# 1344|   			"or JoinState = 0 failed for MGID: %s port 0x%016" PRIx64

Error: USE_AFTER_FREE (CWE-825): [#def12]
opensm-3.3.20/opensm/osm_sa_mcmember_record.c:1357: freed_arg: "osm_mgrp_cleanup" frees "p_mgrp".
opensm-3.3.20/opensm/osm_multicast.c:184:2: freed_arg: "free" frees parameter "mgrp".
opensm-3.3.20/opensm/osm_sa_mcmember_record.c:1360: deref_after_free: Dereferencing freed pointer "p_mgrp".
|# 1358|   		CL_PLOCK_RELEASE(sa->p_lock);
|# 1359|   		memset(gid_str, 0, sizeof(gid_str));
|# 1360|-> 		OSM_LOG(sa->p_log, OSM_LOG_ERROR, "ERR 1B14: "
|# 1361|   			"Cannot join port 0x%016" PRIx64 " to MGID %s - "
|# 1362|

Signed-off-by: Dan Ben Yosef <danby@mellanox.com>
Signed-off-by: Alex Netes <alexne@mellanox.com>
Signed-off-by: Hal Rosenstock <hal@mellanox.com>
---
 opensm/osm_sa_mcmember_record.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/opensm/osm_sa_mcmember_record.c b/opensm/osm_sa_mcmember_record.c
index 9b94993..e113416 100644
--- a/opensm/osm_sa_mcmember_record.c
+++ b/opensm/osm_sa_mcmember_record.c
@@ -1345,6 +1345,12 @@ static void mcmr_rcv_join_mgrp(IN osm_sa_t * sa, IN osm_madw_t * p_madw)
 	    || !validate_port_caps(sa->p_log, p_mgrp, p_physp)
 	    || !(join_state != 0)) {
 		char gid_str[INET6_ADDRSTRLEN];
+		memset(gid_str, 0, sizeof(gid_str));
+
+		/* get the gid_str before the cleanup, the cleanup can free the pointer */
+		inet_ntop(AF_INET6, p_mgrp->mcmember_rec.mgid.raw, gid_str,
+			  sizeof gid_str);
+
 		/* since we might have created the new group we need to cleanup */
 		if (is_new_group)
 			osm_mgrp_cleanup(sa->p_subn, p_mgrp);
@@ -1353,9 +1359,7 @@ static void mcmr_rcv_join_mgrp(IN osm_sa_t * sa, IN osm_madw_t * p_madw)
 			"validate_more_comp_fields, validate_port_caps, "
 			"or JoinState = 0 failed for MGID: %s port 0x%016" PRIx64
 			" (%s), sending IB_SA_MAD_STATUS_REQ_INVALID\n",
-			   inet_ntop(AF_INET6, p_mgrp->mcmember_rec.mgid.raw,
-				     gid_str, sizeof gid_str),
-			cl_ntoh64(portguid), p_port->p_node->print_desc);
+			gid_str, cl_ntoh64(portguid), p_port->p_node->print_desc);
 		osm_sa_send_error(sa, p_madw, IB_SA_MAD_STATUS_REQ_INVALID);
 		goto Exit;
 	}