lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 22 Jan 2019 21:28:19 +0100
From:   Sebastian Andrzej Siewior <bigeasy@...utronix.de>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     linux-kernel@...r.kernel.org,
        Andrew Morton <akpm@...ux-foundation.org>,
        Anders Roxell <anders.roxell@...aro.org>,
        Arnd Bergmann <arnd@...db.de>, Michal Hocko <mhocko@...e.com>,
        linux-mm@...ck.org
Subject: Re: [PATCH] backing-dev: no need to check return value of
 debugfs_create functions

On 2019-01-22 19:33:48 [+0100], Greg Kroah-Hartman wrote:
> On Tue, Jan 22, 2019 at 06:19:08PM +0100, Sebastian Andrzej Siewior wrote:
> > but if you cat the stats file then it will dereference the bdi struct
> > which has been free(), right?
> 
> Maybe, I don't know, your code is long gone, it doesn't matter :)

may point is that you may remain with a stats file in debugfs' root
folder which you can cat and then crash.

> > > But step back, how could that original call be NULL?  That only happens
> > > if you pass it a bad parent dentry (which you didn't), or the system is
> > > totally out of memory (in which case you don't care as everything else
> > > is on fire).
> > 
> > debugfs_get_inode() could do -ENOMEM and then the directory creation
> > fails with NULL.
> 
> And if that happens, your system has worse problems :)

So we care to properly handle -ENOMEM in driver's probe function. Those
change find their way to stable kernels.
This unhandled -ENOMEM in debugfs_get_inode() will let
debugfs_create_dir() reuturn NULL. Then debugfs_create_file() will
create the stats in debugfs' root folder. This is a changed behaviour
which is not expected. And then on rmmod the stats file is still present
and will participate in use-after-free if it is read.

> As it's been that way for over a decade, I think we will be fine :)
> If it changes in the future, in some way that actually matters, I'll go
> back and fix up all of the callers.

That is okay then :).
I don't mind if the stats file does not show up due to an error on
probe. It is debugfs after all. However I don't think that it is okay
that the stats file remains in the root folder even after the module has
been removed (and access memory that does not belong to it).

> thanks,
> 
> greg k-h

Sebastian

Powered by blists - more mailing lists