lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 21 Feb 2019 12:09:23 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Cc:     Dmitry Torokhov <dmitry.torokhov@...il.com>,
        "Rafael J. Wysocki" <rafael@...nel.org>,
        lkml <linux-kernel@...r.kernel.org>, Kay Sievers <kay@...y.org>,
        syzbot <syzbot+f648cfb7e0b52bf7ae32@...kaller.appspotmail.com>
Subject: Re: [PATCH] kobject: Don't trigger kobject_uevent(KOBJ_REMOVE) twice.

On Thu, Feb 21, 2019 at 07:40:20PM +0900, Tetsuo Handa wrote:
> On 2019/02/21 4:52, Dmitry Torokhov wrote:
> > On Wed, Feb 20, 2019 at 7:07 AM Greg Kroah-Hartman
> > <gregkh@...uxfoundation.org> wrote:
> >> But I would argue that this is not ok, as the remove uevent did NOT get
> >> sent, and you are saying it did.
> > 
> > "It is the thought that counts" here. The code was added to catch
> > cases where nobody even attempted to send "remove" uevents. It does
> > not guarantee that an event will ultimately be sent (we are at the
> > point of no return as far as the rest of the kernel is concerned,
> > there are no repeats or do-overs).
> > 
> >>
> >> What memory is being used-after-free here when we fail to properly send
> >> a uevent?  Shouldn't we fix up that problem correctly?
> 
> It is explained at https://lkml.kernel.org/r/20190219185558.GA210481@dtor-ws .

I agree with Dmitry here, it's not the input layer's job to do this.

But that didn't answer my question, what object is getting reused here?
The input device is now dead at that point in time, no one else can
touch it, but you are saying someone did, right?   Who is that someone?

> > This is the correct fix (in spirit, we may argue about whether it is
> > valid to call the flag "state_add_uevent_sent" now or we should or
> > collapse both it and "state_add_uevent_sent" into
> > "need_send_remove_uevent"). Other subsystems are in their own right to
> > not expect to get uvent callbacks past the point of calling
> > device_del() as they are tearing down parts of the device environment
> > (even though the device structure may stay in memory for a while).
> > 
> > Thanks.
> 
> Which subsystems benefit from commit 0f4dafc0563c6c49 ("Kobject: auto-cleanup
> on final unref") ? If there is no such subsystem, it will be better to remove
> state_add_uevent_sent and state_remove_uevent_sent logic.

You are asking me about a patch from 2007.  I have no idea, try removing
it and see what happens :)

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ