| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 04 Apr 2008 01:56:26 +0200
From: Johannes Berg <johannes@...solutions.net>
To: Linux Kernel list <linux-kernel@...r.kernel.org>
Cc: Greg KH <greg@...ah.com>
Subject: debugfs_remove() vs. anything that is dynamic
Consider the following trivial module:
--- %< ---
#include <linux/module.h>
#include <linux/debugfs.h>
static struct dentry *f;
static u32 tmp;
int __init mod_enter(void)
{
f = debugfs_create_u32("tmp-test", 0666, NULL, &tmp);
return 0;
}
void __exit mod_leave(void)
{
debugfs_remove(f);
}
module_init(mod_enter);
module_exit(mod_leave);
MODULE_LICENSE("GPL");
--- >% ---
How do I make that safe?
FWIW, the problem is:
thread 1 thread 2
fd = open("tmp-test")
sleep(30); rmmod test-module
read(fd, buf, 100);
--> accesses now invalid memory because debugfs doesn't actually stop
you from accessing "&tmp" after debugfs_remove(). [yes, I actually
tested a variation of this where I dynamically allocated the 'tmp'
variable, I got the slab poison in my test program]
Personally, I tend to think this makes debugfs rather unusable in
modules and with anything that is dynamically allocated [1]. AFAICT
sysfs avoids this by having object lifetime imposed by sysfs, but
debugfs doesn't work that way.
What am I missing?
johannes
[1] which covers many many current users, it seems at least usbmon,
ohci/ehci/uhci-dbg, pktcdvd, fault injection code, blktrace and probably
more.
Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)
Powered by blists - more mailing lists