lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMZfGtURi4KDijw1=2JuTWxufcjypzS2_fEe0sGwXoAOUKbT5Q@mail.gmail.com>
Date:   Mon, 6 Apr 2020 18:42:46 +0800
From:   宋牧春 <songmuchun@...edance.com>
To:     Greg KH <gregkh@...uxfoundation.org>
Cc:     Fei Zhang <zhangfeionline@...il.com>, rafael@...nel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [External] Re: [PATCH] driver core: Fix possible use after free
 on name

Hi Greg,

Greg KH <gregkh@...uxfoundation.org> 于2020年4月6日周一 下午4:29写道:
>
> A: http://en.wikipedia.org/wiki/Top_post
> Q: Were do I find info about this thing called top-posting?
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> A: Top-posting.
> Q: What is the most annoying thing in e-mail?
>
> A: No.
> Q: Should I include quotations after my reply?
>
> http://daringfireball.net/2007/07/on_top
>
> On Mon, Apr 06, 2020 at 03:40:41PM +0800, Fei Zhang wrote:
> > Dear Greg,
> >
> > Mostly, "class_creat" is used in kernel driver module, basically
> > read-only strings,
> > but it is easier to use a local variable string. When writing drive module,
> > it fails to judge the local variable string which cannot be passed in
> > only via interface.
> > I found that someone else may also face the same problem.
>
> An individual driver should NOT be creating a class, that is not what it
> is there for.

If someone want to create a virtual device, someone can call device_create().
But the first argument is type of 'struct class *class', so we have to
call class_create()
before create device. So an individual driver may be creating a class, right?

>
> Class names are very "rare" and should not be dynamically created at
> all.

I have reviewed the code of the kstrdup_const() which is just below.

const char *kstrdup_const(const char *s, gfp_t gfp)
{
        if (is_kernel_rodata((unsigned long)s))
                return s;

        return kstrdup(s, gfp);
}

A readonly string which is in the kernel rodata, so we do not need to
dynamically allocate
memory to store the name. So with this patch applied, there is nothing
changed which
means that we did not waste memory. But it can prevent someone from
reading stale name
if an unaware user passes an address to a stack-allocated buffer.

So I think it is worth fixing, right?

-- 
Yours,
Muchun

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ