[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210413165138.GI4332@42.do-not-panic.com>
Date: Tue, 13 Apr 2021 16:51:38 +0000
From: Luis Chamberlain <mcgrof@...nel.org>
To: Anirudh Rayabharam <mail@...rudhrb.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
"Rafael J. Wysocki" <rafael@...nel.org>,
Junyong Sun <sunjy516@...il.com>,
syzbot+de271708674e2093097b@...kaller.appspotmail.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] firmware_loader: fix use-after-free in
firmware_fallback_sysfs
On Tue, Apr 13, 2021 at 04:12:42PM +0530, Anirudh Rayabharam wrote:
> The use-after-free happens when a fw_priv object has been freed but
> hasn't been removed from the pending list (pending_fw_head). The next
> time fw_load_sysfs_fallback tries to insert into the list, it ends up
> accessing the pending_list member of the previoiusly freed fw_priv.
>
> In commit bcfbd3523f3c ("firmware: fix a double abort case with
> fw_load_sysfs_fallback"), fw_load_abort() is skipped if
> fw_sysfs_wait_timeout() returns -ENOENT. This causes the fw_priv to
> not be removed from the pending list.
>
> To fix this, delete the fw_priv from the pending list when retval
> is -ENOENT instead of skipping the entire block.
>
> Fixes: bcfbd3523f3c ("firmware: fix a double abort case with fw_load_sysfs_fallback")
> Reported-by: syzbot+de271708674e2093097b@...kaller.appspotmail.com
> Tested-by: syzbot+de271708674e2093097b@...kaller.appspotmail.com
> Signed-off-by: Anirudh Rayabharam <mail@...rudhrb.com>
Thanks for your patch Anirudh, but please also see this reply to the
issue:
http://lkml.kernel.org/r/20210403013143.GV4332@42.do-not-panic.com
The way you patched the issue is just a band-aid, meaning we keep on
moving the issue further and it seems that's just the wrong approach.
Can you try the patch in that thread, to verify if the UAF goes away?
Powered by blists - more mailing lists