| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACRpkdZ_jrNNB7n0DOuL6n_JtupiwacbMxWcockTak9F8fdAjA@mail.gmail.com>
Date: Fri, 2 Nov 2018 10:24:53 +0100
From: Linus Walleij <linus.walleij@...aro.org>
To: smuchun@...il.com, Nicolas Pitre <nico@...aro.org>
Cc: Bartosz Golaszewski <bgolaszewski@...libre.com>,
"open list:GPIO SUBSYSTEM" <linux-gpio@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] gpiolib: Fix possible use after free on label
On Thu, Nov 1, 2018 at 4:27 PM Linus Walleij <linus.walleij@...aro.org> wrote:
> On Thu, Nov 1, 2018 at 2:13 PM Muchun Song <smuchun@...il.com> wrote:
>
> > gpiod_request_commit() copies the pointer to the label passed as
> > an argument only to be used later. But there's a chance the caller
> > could immediately free the passed string(e.g., local variable).
> > This could trigger a use after free when we use gpio label(e.g.,
> > gpiochip_unlock_as_irq(), gpiochip_is_requested()).
> >
> > To be on the safe side: duplicate the string with kstrdup_const()
> > so that if an unaware user passes an address to a stack-allocated
> > buffer, we won't get the arbitrary label.
> >
> > Also fix gpiod_set_consumer_name().
> >
> > Signed-off-by: Muchun Song <smuchun@...il.com>
>
> I am still a bit worried about the kstrdup_const() that this
> introduces.
Forget it. I realized after actually reading the code
for kstrdup_const() that it really does exactly
what we want.
I should stop assuming things are syntactic sugar
in the kernel, we have some really smart people
working with it...
Patch applied.
Yours,
Linus Walleij
Powered by blists - more mailing lists