lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Tue, 30 Apr 2019 09:24:27 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Guenter Roeck <linux@...ck-us.net>
Cc:     Venkata Narendra Kumar Gutta <vnkgutta@...eaurora.org>,
        davem@...emloft.net, alexander.deucher@....com,
        tsoni@...eaurora.org, psodagud@...eaurora.org,
        jshriram@...eaurora.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] driver core: platform: Fix the usage of platform device
 name(pdev->name)

On Mon, Apr 29, 2019 at 11:20:58AM -0700, Guenter Roeck wrote:
> Hi,
> 
> On Mon, Apr 22, 2019 at 05:16:29PM -0700, Venkata Narendra Kumar Gutta wrote:
> > Platform core is using pdev->name as the platform device name to do
> > the binding of the devices with the drivers. But, when the platform
> > driver overrides the platform device name with dev_set_name(),
> > the pdev->name is pointing to a location which is freed and becomes
> > an invalid parameter to do the binding match.
> > 
> > use-after-free instance:
> > 
> > [   33.325013] BUG: KASAN: use-after-free in strcmp+0x8c/0xb0
> > [   33.330646] Read of size 1 at addr ffffffc10beae600 by task modprobe
> > [   33.339068] CPU: 5 PID: 518 Comm: modprobe Tainted:
> > 			G S      W  O      4.19.30+ #3
> > [   33.346835] Hardware name: MTP (DT)
> > [   33.350419] Call trace:
> > [   33.352941]  dump_backtrace+0x0/0x3b8
> > [   33.356713]  show_stack+0x24/0x30
> > [   33.360119]  dump_stack+0x160/0x1d8
> > [   33.363709]  print_address_description+0x84/0x2e0
> > [   33.368549]  kasan_report+0x26c/0x2d0
> > [   33.372322]  __asan_report_load1_noabort+0x2c/0x38
> > [   33.377248]  strcmp+0x8c/0xb0
> > [   33.380306]  platform_match+0x70/0x1f8
> > [   33.384168]  __driver_attach+0x78/0x3a0
> > [   33.388111]  bus_for_each_dev+0x13c/0x1b8
> > [   33.392237]  driver_attach+0x4c/0x58
> > [   33.395910]  bus_add_driver+0x350/0x560
> > [   33.399854]  driver_register+0x23c/0x328
> > [   33.403886]  __platform_driver_register+0xd0/0xe0
> > 
> > So, use dev_name(&pdev->dev), which fetches the platform device name from
> > the kobject(dev->kobj->name) of the device instead of the pdev->name.
> > 
> > Signed-off-by: Venkata Narendra Kumar Gutta <vnkgutta@...eaurora.org>
> 
> This patch results in a large number of crashes (statistics: total: 349
> pass: 244 fail: 105) in my boot tests (https://kerneltests.org/builders).
> Affected architectures are (at least) arm, m68k, mips, ppc, and sh.
> The reason for the crash is different for each architecture. Sometimes
> the boot will stall, sometimes there is a crash, and sometimes the system
> will fail to restart.
> 
> Here is an example for a log message, seen on arm (and m68k, but with ttyS
> instead of ttySA).
> 
> WARNING: CPU: 0 PID: 1 at drivers/tty/tty_io.c:1349 tty_init_dev+0x14c/0x1a4
> tty_init_dev: ttySA driver does not set tty->port. This will crash the kernel later. Fix the driver!
> 
> This is then indeed followed by a crash in tty_init_dev().
> 
> Bisect log for m68k attached below. Reverting this patch fixes the
> problem at least for arm, m68k, and mips images.
> 
> Guenter
> 
> ---
> # bad: [3d17a1de96a233cf89bfbb5a77ebb1a05c420681] Add linux-next specific files for 20190429
> # good: [085b7755808aa11f78ab9377257e1dad2e6fa4bb] Linux 5.1-rc6
> git bisect start 'HEAD' 'v5.1-rc6'
> # good: [48ea994d711ca2e66038741e549f3ebd3072e215] Merge remote-tracking branch 'crypto/master'
> git bisect good 48ea994d711ca2e66038741e549f3ebd3072e215
> # good: [2d49c5dbbd93045625927b6acf54bf43f86f97fd] Merge remote-tracking branch 'spi/for-next'
> git bisect good 2d49c5dbbd93045625927b6acf54bf43f86f97fd
> # bad: [7d38461c1c19569f7952c66913b38a78b2c51828] Merge remote-tracking branch 'staging/staging-next'
> git bisect bad 7d38461c1c19569f7952c66913b38a78b2c51828
> # bad: [b827800209cf30ed4e2d3a503044014b56f2b06f] Merge remote-tracking branch 'tty/tty-next'
> git bisect bad b827800209cf30ed4e2d3a503044014b56f2b06f
> # good: [e643fe145f03134a9de2b8996e11e03b8a0cd90a] Merge remote-tracking branch 'tip/auto-latest'
> git bisect good e643fe145f03134a9de2b8996e11e03b8a0cd90a
> # good: [cac573af020fbe8b16c1c769ed692126b8eceb69] Merge remote-tracking branch 'ipmi/for-next'
> git bisect good cac573af020fbe8b16c1c769ed692126b8eceb69
> # good: [ad74b8649beaf1a22cf8641324e3321fa0269d16] usb: typec: ucsi: Preliminary support for alternate modes
> git bisect good ad74b8649beaf1a22cf8641324e3321fa0269d16
> # bad: [9dc730c74af21b8403a9befba0f5f2e3bd9d6be4] Merge remote-tracking branch 'usb/usb-next'
> git bisect bad 9dc730c74af21b8403a9befba0f5f2e3bd9d6be4
> # good: [ab3a9f2ccc080d27873f76869c9a780be45e581e] acpi/hmat: fix an uninitialized memory_target
> git bisect good ab3a9f2ccc080d27873f76869c9a780be45e581e
> # good: [70283454c918f1d65de0ec50c45ef592d781bcae] livepatch: Replace klp_ktype_patch's default_attrs with groups
> git bisect good 70283454c918f1d65de0ec50c45ef592d781bcae
> # good: [33e39350ebd20fe6a77a51b8c21c3aa6b4a208cf] usb: xhci: add Immediate Data Transfer support
> git bisect good 33e39350ebd20fe6a77a51b8c21c3aa6b4a208cf
> # good: [5afa0a5ed3da85f64f27613a38daa1c4f69dd8ff] usb: xhci: add endpoint context tracing when an endpoint is added
> git bisect good 5afa0a5ed3da85f64f27613a38daa1c4f69dd8ff
> # bad: [a85b96e9e11d97a1fb4a683030d6aa98e1a872e8] Merge remote-tracking branch 'driver-core/driver-core-next'
> git bisect bad a85b96e9e11d97a1fb4a683030d6aa98e1a872e8
> # bad: [edb16da34b084c66763f29bee42b4e6bb33c3d66] driver core: platform: Fix the usage of platform device name(pdev->name)
> git bisect bad edb16da34b084c66763f29bee42b4e6bb33c3d66
> # first bad commit: [edb16da34b084c66763f29bee42b4e6bb33c3d66] driver core: platform: Fix the usage of platform device name(pdev->name)

Sorry, this was reverted from my tree about an hour before your message
as others also had problems.  The next linux next should have the revert
in it.

thanks,

greg k-h

Powered by blists - more mailing lists