lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAGngYiUh1o8yMjDAO5VFPJ-Jw-fF3q-2NHnz-+DNaEpt7SmwZw@mail.gmail.com>
Date:   Wed, 6 Feb 2019 12:49:22 -0500
From:   Sven Van Asbroeck <thesven73@...il.com>
To:     Dmitry Torokhov <dmitry.torokhov@...il.com>
Cc:     Greg KH <gregkh@...uxfoundation.org>,
        Kees Cook <keescook@...omium.org>, Tejun Heo <tj@...nel.org>,
        Lai Jiangshan <jiangshanlai@...il.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Sebastian Reichel <sre@...nel.org>
Subject: Re: [RFC v1 0/3] Address potential user-after-free on module unload

On Wed, Feb 6, 2019 at 12:30 PM Dmitry Torokhov
<dmitry.torokhov@...il.com> wrote:
>
> Yeah. But devm irq gave most trouble because we did not have enough
> devm APIs so we often ended up with mixed devm/non-devm usage and that
> is what was causing most of the issues. If we can switch everything to
> devm then devm irq is not that troublesome.
>

It sounds to me like _incomplete_ devm_ is worse than no devm at all.

Imagine a devm_ resource depends on a non-devm one:

int acme_probe(struct device *dev)
{
  ...
  r = create_something();
  d = devm_create_thing(dev, r);
}

Then remove could get us into some serious trouble:

void acme_remove(struct device *dev)
{
  /* r _must_ be released here, we have no other place to do it */
  destroy_something(r);
  /* here, d is still alive because it's devm
   * which is cleaned up _after_ remove().
  * Now we have a live resource using a released resource.
  * use-after-free anyone?
  */
}

This is a more generalized version of the issue I originally
observed, where r => struct work_struct.

I'm sure there must be plenty of these around the codebase.

I wish we had a Coccinelle script to catch these, because it's
one thing to fix them today. More will be added tomorrow.
devm_ is so elegant that people frequently use it without
thinking it through.

I certainly would have, before yesterday :)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ