lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20210709134528.GA2168@kadam>
Date:   Fri, 9 Jul 2021 16:45:28 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Dongliang Mu <mudongliangabcd@...il.com>
Cc:     Jacob Chen <jacob-chen@...wrt.com>,
        Ezequiel Garcia <ezequiel@...labora.com>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Heiko Stuebner <heiko@...ech.de>,
        Hans Verkuil <hansverk@...co.com>, linux-media@...r.kernel.org,
        linux-rockchip@...ts.infradead.org,
        linux-kernel <linux-kernel@...r.kernel.org>,
        kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] media: rockchip/rga: fix a use after free in rga_probe()

On Fri, Jul 09, 2021 at 05:49:26PM +0800, Dongliang Mu wrote:
> On Fri, Jul 9, 2021 at 2:38 PM Dan Carpenter <dan.carpenter@...cle.com> wrote:
> >
> > The video_device_release() frees the "vfd" pointer so passing it to
> > video_unregister_device() on the next line results in a use after free.
> > Calling video_unregister_device() on a device that hasn't been
> > registered is supposed to be a no-op so that can be removed.  The paths
> > with to goto unreg_video_dev have a memory leak and should be updated to
> > goto rel_vdev instead.
> >
> > Fixes: f7e7b48e6d79 ("[media] rockchip/rga: v4l2 m2m support")
> > Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> > ---
> >  drivers/media/platform/rockchip/rga/rga.c | 6 ++----
> >  1 file changed, 2 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/media/platform/rockchip/rga/rga.c b/drivers/media/platform/rockchip/rga/rga.c
> > index bf3fd71ec3af..37f7fd060c38 100644
> > --- a/drivers/media/platform/rockchip/rga/rga.c
> > +++ b/drivers/media/platform/rockchip/rga/rga.c
> > @@ -863,12 +863,12 @@ static int rga_probe(struct platform_device *pdev)
> >         if (IS_ERR(rga->m2m_dev)) {
> >                 v4l2_err(&rga->v4l2_dev, "Failed to init mem2mem device\n");
> >                 ret = PTR_ERR(rga->m2m_dev);
> > -               goto unreg_video_dev;
> > +               goto rel_vdev;
> >         }
> >
> >         ret = pm_runtime_resume_and_get(rga->dev);
> >         if (ret < 0)
> > -               goto unreg_video_dev;
> > +               goto rel_vdev;
> >
> >         rga->version.major = (rga_read(rga, RGA_VERSION_INFO) >> 24) & 0xFF;
> >         rga->version.minor = (rga_read(rga, RGA_VERSION_INFO) >> 20) & 0x0F;
> > @@ -904,8 +904,6 @@ static int rga_probe(struct platform_device *pdev)
> >
> >  rel_vdev:
> >         video_device_release(vfd);
> > -unreg_video_dev:
> > -       video_unregister_device(rga->vfd);
> >  unreg_v4l2_dev:
> >         v4l2_device_unregister(&rga->v4l2_dev);
> >  err_put_clk:
> 
> >From the analysis of rga_probe and rga_remove function, the init and
> cleanup functions are in pairs as follows:
> 

Yeah.  You're right.  It's leaky.  This is like the stuff Christophe
Jaillet has been working on.

This is also slightly complicated because what about if the call to
device_register() fails inside video_register_device()?  In that case
we're not allowed to call video_device_release().  I think the way
people deal with that is because device_register() never fails in real
life so let's ignore that possibility.

I sort of hate device_register() because it introduces a lot of bugs
like this which don't affect real life.  Inside the __video_register_device()
function itself we just ignore errors from video_register_media_controller()
because there is no possible way to handle it in a bug free way.  Again,
it's not a bug which is going to affect real life, but it's just
frustrating to not be able to write code which is correct in a technical
sense.

Ah well...  Fine.  I'll resend.

regards,
dan carpenter


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ