lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CH2PR12MB42163351853CCC029D28164BAEEC0@CH2PR12MB4216.namprd12.prod.outlook.com>
Date:   Mon, 24 Feb 2020 11:04:50 +0000
From:   Vitor Soares <Vitor.Soares@...opsys.com>
To:     Boris Brezillon <boris.brezillon@...labora.com>
CC:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-i3c@...ts.infradead.org" <linux-i3c@...ts.infradead.org>,
        Jose Abreu <Jose.Abreu@...opsys.com>,
        "corbet@....net" <corbet@....net>,
        Joao Pinto <Joao.Pinto@...opsys.com>,
        "arnd@...db.de" <arnd@...db.de>,
        "wsa@...-dreams.de" <wsa@...-dreams.de>,
        "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        "bbrezillon@...nel.org" <bbrezillon@...nel.org>,
        "broonie@...nel.org" <broonie@...nel.org>
Subject: RE: [PATCH v3 4/5] i3c: add i3cdev module to expose i3c dev in /dev

Hi Boris,

From: Boris Brezillon <boris.brezillon@...labora.com>
Date: Fri, Feb 21, 2020 at 22:32:16

> On Wed, 19 Feb 2020 01:20:42 +0100
> Vitor Soares <Vitor.Soares@...opsys.com> wrote:
> 
> > +static int i3cdev_detach(struct device *dev, void *dummy)
> > +{
> > +	struct i3cdev_data *i3cdev;
> > +	struct i3c_device *i3c;
> > +
> > +	if (dev->type == &i3c_masterdev_type)
> > +		return 0;
> > +
> > +	i3c = dev_to_i3cdev(dev);
> > +
> > +	i3cdev = i3cdev_get_drvdata(i3c);
> > +	if (!i3cdev)
> > +		return 0;
> > +
> > +	/* Prevent transfers while cdev removal */
> > +	mutex_lock(&i3cdev->xfer_lock);
> > +	cdev_del(&i3cdev->cdev);
> 
> When cdev_del() returns there might be opened FDs pointing to your
> i3cdev [1] ...

Yes, I know. I protected the driver part but I missed the 
file->private_data.

> 
> > +	device_destroy(i3cdev_class, MKDEV(MAJOR(i3cdev_number), i3cdev->id));
> > +	mutex_unlock(&i3cdev->xfer_lock);
> > +
> > +	ida_simple_remove(&i3cdev_ida, i3cdev->id);
> > +	put_i3cdev(i3cdev);
> 
> ... and you call put_i3cdev() here which frees the i3cdev object,
> leading to potential use-after-free if any of the fops (ioctl, read,
> write) are called on those dangling FDs. That's exactly the kind of
> nightmare I'd like to avoid.
> 
> > +
> > +	pr_debug("i3cdev: device [%s] unregistered\n", dev_name(&i3c->dev));
> > +
> > +	return 0;
> > +}
> > +
> 
> [1]https://urldefense.proofpoint.com/v2/url?u=https-3A__elixir.bootlin.com_linux_latest_source_fs_char-5Fdev.c-23L587&d=DwICAg&c=DPL6_X_6JkXFx7AXWqB0tg&r=qVuU64u9x77Y0Kd0PhDK_lpxFgg6PK9PateHwjb_DY0&m=tn0F5CeiGtvih3B93GkstU1b2CzoxKklNq4vIvshH8I&s=FwSMjJ-YZFPUB6WCQM0KnFqFSVKp5KdKHdqSiu_0ycU&e=

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ