lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAEP91RET3sKH_77W7=D0Dcj-itN-2eP=qv3+jNndeSvrVk6xWw@mail.gmail.com>
Date:   Wed, 26 Apr 2017 07:51:32 -0700
From:   Adrian Salido <salidoa@...gle.com>
To:     Greg KH <gregkh@...uxfoundation.org>
Cc:     linux-kernel@...r.kernel.org
Subject: Re: [PATCH] driver core: platform: fix race condition with driver_override

> > The driver_override implementation is susceptible to race condition when
> > different threads are reading vs storing a different driver override.
> > Add locking to avoid race condition.
> >
> > Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'")
> > Cc: stable@...r.kernel.org
> > Signed-off-by: Adrian Salido <salidoa@...gle.com>
> > ---
> >  drivers/base/platform.c | 11 +++++++++--
> >  1 file changed, 9 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/base/platform.c b/drivers/base/platform.c
> > index c2456839214a..493e03fa0e07 100644
> > --- a/drivers/base/platform.c
> > +++ b/drivers/base/platform.c
> > @@ -866,7 +866,7 @@ static ssize_t driver_override_store(struct device *dev,
> >                                    const char *buf, size_t count)
> >  {
> >       struct platform_device *pdev = to_platform_device(dev);
> > -     char *driver_override, *old = pdev->driver_override, *cp;
> > +     char *driver_override, *old, *cp;
> >
> >       if (count > PATH_MAX)
> >               return -EINVAL;
> > @@ -879,12 +879,15 @@ static ssize_t driver_override_store(struct device *dev,
> >       if (cp)
> >               *cp = '\0';
> >
> > +     device_lock(dev);
> > +     old = pdev->driver_override;
> >       if (strlen(driver_override)) {
> >               pdev->driver_override = driver_override;
> >       } else {
> >               kfree(driver_override);
> >               pdev->driver_override = NULL;
> >       }
> > +     device_unlock(dev);
> >
> >       kfree(old);
>
> Shouldn't you move the lock until after the kfree()?  Or am I missing
> what the lock is trying to protect here?

not really, the lock only protecting the variable
pdev->driver_override. Once the value has changed we no longer care
about "old" variable

> >       if (cp)
> >               *cp = '\0';
> >
> > +     device_lock(dev);
> > +     old = pdev->driver_override;
> >       if (strlen(driver_override)) {
> >               pdev->driver_override = driver_override;
> >       } else {
> >               kfree(driver_override);
> >               pdev->driver_override = NULL;
> >       }
> > +     device_unlock(dev);
> >
> >       kfree(old);
>
> >
> > @@ -895,8 +898,12 @@ static ssize_t driver_override_show(struct device *dev,
> >                                   struct device_attribute *attr, char *buf)
> >  {
> >       struct platform_device *pdev = to_platform_device(dev);
> > +     ssize_t len;
> >
> > -     return sprintf(buf, "%s\n", pdev->driver_override);
> > +     device_lock(dev);
> > +     len = sprintf(buf, "%s\n", pdev->driver_override);
> > +     device_unlock(dev);
> > +     return len;
>
> Why does the show function need to be changed at all?  How can anything
> "race" here?

The lock is trying to protect again race between store and show.
Suppose there are 2 threads:

Thread1:
 while (1) {
   driver_override_store("foo");
   driver_override_store("");
 }

Thread2:
while (1) driver_override_show();

Thread 1                                 |         Thread 2
----------------------------------------|-----------------------
old = pdev->driver_override;   |
                                                | len = sprintf(buf,
"%s\n", pdev->driver_override);
                                                | /* snprintf starts reading */
pdev->driver_override =          |
   driver_override;                    |
kfree(old);                                | /* use after free before
snprintf finishes execution */

Similarly there could be a race between multiple threads doing store
where memory leaks could happen

Thanks,
Adrian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ