[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 1/4] Fix Use-After-Free

  • To: <win-pv-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Owen Smith <owen.smith@xxxxxxxxxx>
  • Date: Mon, 7 Feb 2022 13:15:00 +0000
  • Authentication-results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none
  • Cc: Owen Smith <owen.smith@xxxxxxxxxx>
  • Delivery-date: Mon, 07 Feb 2022 13:15:15 +0000
  • Ironport-data: A9a23:sL2t56lZ1yWjqyIie+3AP+jo5gyhIURdPkR7XQ2eYbSJt1+Wr1Gzt xJKCD+BPPeJYzanKtEkYIjl8h9U78OBmIJlGQo+qXs1HiMWpZLJC+rCIxarNUt+DCFioGGLT Sk6QoOdRCzhZiaE/n9BClVlxJVF/fngqoDUUYYoAQgsA180IMsdoUg7wbRh2NY32YHR7z6l4 rseneWOYDdJ5BYsWo4kw/rrRMRH5amaVJsw5zTSVNgT1LPsvyB94KE3fMldG0DQUIhMdtNWc s6YpF2PEsE1yD92Yj+tuu6TnkTn2dc+NyDW4pZdc/DKbhSvOkXee0v0XRYRQR4/ttmHozx+4 I5gkpiqFggvBIvBsdg4Sx5YP349YaITrdcrIVDn2SCS50jPcn+qyPRyFkAme4Yf/46bA0kXq 6ZecmpUKEne2aTmm9pXScE17ignBM70MYVZoXRh0THxBvc6W5HTBa7N4Le02R9u3ZkWRayBN 6L1bxJ1Miz4YTBvAW4MGbRkprnyqV3OKmBX/Qf9Sa0fvDGIkV0ZPKLWGMXUfJmSW4BZk1iVo krC/n/lGVcKOdqH0z2H/3mwwOjVkkvGtJk6TePisKQw2RvKmzJVWEZ+uUaHTeeR0WOZX8gAJ Eou3CcHkY0q80yHEZqhUEjtyJKbhSI0V91VGuw8zQiCzKvI/gqUblQ5oi59hM8O75FvG2Fzv rOdt5awXGE07uXJIZ6I3urM9VuP1T4pwXjujMPuZS8M+JHdrY46lXojpf4zQffu3rUZ9dwdq g1mTRTSZZ1O16bnNI3hpDgrZg5AQbCTH2YICv3/BD7N0++ATNfNi3aUwVba9+1cC42SU0OMu nMJ8+DHsrxSVMDUzXLcGrxWdF1M2xpiGGeN6WOD4rF7r2j9k5JdVdw4DM5CyLdBbZ9fJG6Bj L77sgJN/p5DVEZGnocsC79d//8ClPC6ffy8D6i8RoMXPvBZKV/WlAkzNBX49z28zyAEz/plU b/FKpnEMJrvIfk+pNZAb7xGiuFDK+FX7T67eK0XODz9jePOPyDEFehZWLZMB8hghJ65TMzu2 443H6O3J993DIUSuwHbrtweK04kN38+CcykosBbbLfbcAFnBHsgG7naxrZ4I95pmKFcl+Hp+ HChWxAHlAqj1COfcQjaOGp+bL7PXIpkqS5pNyIbIlv1iWMoZpyi7flDesJvL6Un7uFq0dV9U +IBJ5ebGv1KRzmeo2YdYJDxoZZMbhOugQ7SbSOpbCJmJ8xrRhDT+8+idQzqrXFcAi2yvMo4g ruhygKEHsZTG1U8VJ7bMav9wUmwsH4RnPNJc3HJetQDKl/x9IVKKjDqiqNlKc87NhielCCR0 BybAElEqLCV8ZM16tTAmYuNs5ytT7llBkNfEmTWseS2OC3d8jbxyINMSr/VLzXUVWey86S+f +RFifr7NaRfzlpNtoN9FZdtzL4/uISz9+MLkFw8ESWZdUmvB5NhPmKCjJtGuaB6z7NEvRe7B xCU8d5ANLTVYM7oHTb9/ub+gjhvAR3MpgTv0A==
  • Ironport-hdrordr: A9a23:WC+xragV9h+ZMX0J0mpMvJqBm3BQXrQji2hC6mlwRA09TyX4ra GTdZsguSMc5Ax7ZJhCo7690cu7Lk80nKQdibX5Vo3OYOCJggGVEL0=
  • Ironport-sdr: 5q+gXkf/gfWJu9zHQqKYSaubZ1HigV198rEIdolAuv3KnTKXLxzS4WXCVqTyrSVxCb2ibi37bi pB8ckH1057z3WG326/LoOrg+CptkIwRomqyXg6BOhNXkpdhiwLkm+XyEuqhH5pxfBjPG61etlZ gGn0RhQy2L1DYa5J/NCoPIQBxlZ79VzkErU59L+wyi0cK8cspneQmmTMnhqSC5CMqD1tkSXKUG gp6xALzdVR+SfJLqksFOjqI1m1rCzPPvu/NanGAo7PmPVusEKPGDou0yLTB1lxkh18xPfGS4DC eOzEmhLWn84k0FCDzocjLKAJ
  • List-id: Developer list for the Windows PV Drivers subproject <win-pv-devel.lists.xenproject.org>
Stash the underlying buffer pointer before freeing the MDL, so that
MmGetSystemAddressForMdlSafe doesn't attempt to access already-freed
memory.

Signed-off-by: Owen Smith <owen.smith@xxxxxxxxxx>
---
 src/xenbus/fdo.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/xenbus/fdo.c b/src/xenbus/fdo.c
index e2b2702..48d381a 100644
--- a/src/xenbus/fdo.c
+++ b/src/xenbus/fdo.c
@@ -5695,9 +5695,10 @@ __FdoFreeBuffer(
 
     Fdo->Mdl = NULL;
 
+    Buffer = MmGetSystemAddressForMdlSafe(Mdl, NormalPagePriority);
+
     ExFreePool(Mdl);
 
-    Buffer = MmGetSystemAddressForMdlSafe(Mdl, NormalPagePriority);
     MmFreeContiguousMemory(Buffer);
 }
 
-- 
2.33.0.windows.2

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.