lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 28 Apr 2020 08:53:14 -0700
From:   Evan Green <evgreen@...omium.org>
To:     Dmitry Torokhov <dmitry.torokhov@...il.com>
Cc:     stable@...r.kernel.org,
        Nick Desaulniers <nick.desaulniers@...il.com>,
        Allison Randal <allison@...utok.net>,
        Andrew Duggan <aduggan@...aptics.com>,
        Benjamin Tissoires <benjamin.tissoires@...hat.com>,
        Enrico Weigelt <info@...ux.net>,
        Thomas Gleixner <tglx@...utronix.de>,
        linux-input@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] Input: synaptics-rmi4 - Really fix attn_data use-after-free

On Mon, Apr 27, 2020 at 6:11 PM Dmitry Torokhov
<dmitry.torokhov@...il.com> wrote:
>
> On Mon, Apr 27, 2020 at 02:55:48PM -0700, Evan Green wrote:
> > Fix a use-after-free noticed by running with KASAN enabled. If
> > rmi_irq_fn() is run twice in a row, then rmi_f11_attention() (among
> > others) will end up reading from drvdata->attn_data.data, which was
> > freed and left dangling in rmi_irq_fn().
> >
> > Commit 55edde9fff1a ("Input: synaptics-rmi4 - prevent UAF reported by
> > KASAN") correctly identified and analyzed this bug. However the attempted
> > fix only NULLed out a local variable, missing the fact that
> > drvdata->attn_data is a struct, not a pointer.
> >
> > NULL out the correct pointer in the driver data to prevent the attention
> > functions from copying from it.
> >
> > Fixes: 55edde9fff1a ("Input: synaptics-rmi4 - prevent UAF reported by KASAN")
> > Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
> >
> > Signed-off-by: Evan Green <evgreen@...omium.org>
> >
> > Cc: stable@...r.kernel.org
> > Cc: Nick Desaulniers <nick.desaulniers@...il.com>
>
> Ugh, this is all kind of ugly, but I guess that's what we have now.
> Applied, thank you.

Thanks Dmitry. There are other bits that sketch me out in here as
well, but I didn't get a chance to really figure out if they're a
problem. We call rmi_process_interrupt_requests(), which results in
reads from that same attn_data.data pointer, in a few different
places. Some of those calls are outside the irq handling path, like
the in rmi_enable_irq() and rmi_enable_sensor(). Can they race with
the irq handling path? (Meaning they'd be doing those attn_data.data
reads as rmi_irq_fn() is kfreeing the data?) There are a smattering of
mutexes around, but I'm not sure if they're trying to protect this.

If I can find some time I'll try to submit a patch. Anyone is welcome
to beat me to it though.
-Evan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ