| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220427135823.GD71@qian>
Date: Wed, 27 Apr 2022 09:58:23 -0400
From: Qian Cai <quic_qiancai@...cinc.com>
To: ThiƩbaud Weksteen <tweek@...gle.com>
CC: Luis Chamberlain <mcgrof@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Jeffrey Vander Stoep <jeffv@...gle.com>,
Saravana Kannan <saravanak@...gle.com>,
Alistair Delva <adelva@...gle.com>,
Adam Shih <adamshih@...gle.com>, <selinux@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] firmware_loader: use kernel credentials when reading
firmware
On Fri, Apr 22, 2022 at 11:32:15AM +1000, ThiƩbaud Weksteen wrote:
> drivers/base/firmware_loader/main.c | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
> diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
> index 94d1789a233e..8f3c2b2cfc61 100644
> --- a/drivers/base/firmware_loader/main.c
> +++ b/drivers/base/firmware_loader/main.c
> @@ -735,6 +735,8 @@ _request_firmware(const struct firmware **firmware_p, const char *name,
> size_t offset, u32 opt_flags)
> {
> struct firmware *fw = NULL;
> + struct cred *kern_cred = NULL;
> + const struct cred *old_cred;
> bool nondirect = false;
> int ret;
>
> @@ -751,6 +753,18 @@ _request_firmware(const struct firmware **firmware_p, const char *name,
> if (ret <= 0) /* error or already assigned */
> goto out;
>
> + /*
> + * We are about to try to access the firmware file. Because we may have been
> + * called by a driver when serving an unrelated request from userland, we use
> + * the kernel credentials to read the file.
> + */
> + kern_cred = prepare_kernel_cred(NULL);
This triggers quite some leak reports from kmemleak.
unreferenced object 0xffff0801e47690c0 (size 176):
comm "kworker/0:1", pid 14, jiffies 4294904047 (age 2208.624s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
kmem_cache_alloc
prepare_kernel_cred
_request_firmware
firmware_request_nowarn
firmware_request_nowarn at drivers/base/firmware_loader/main.c:933
nvkm_firmware_get [nouveau]
nvkm_firmware_get at drivers/gpu/drm/nouveau/nvkm/core/firmware.c:92
nvkm_firmware_load_name [nouveau]
nvkm_acr_lsfw_load_bl_inst_data_sig [nouveau]
gm200_gr_load [nouveau]
gf100_gr_new_ [nouveau]
tu102_gr_new [nouveau]
nvkm_device_ctor [nouveau]
nvkm_device_pci_new [nouveau]
nouveau_drm_probe [nouveau]
local_pci_probe
work_for_cpu_fn
process_one_work
> + if (!kern_cred) {
> + ret = -ENOMEM;
> + goto out;
> + }
> + old_cred = override_creds(kern_cred);
> +
> ret = fw_get_filesystem_firmware(device, fw->priv, "", NULL);
>
> /* Only full reads can support decompression, platform, and sysfs. */
> @@ -776,6 +790,8 @@ _request_firmware(const struct firmware **firmware_p, const char *name,
> } else
> ret = assign_fw(fw, device);
>
> + revert_creds(old_cred);
> +
> out:
> if (ret < 0) {
> fw_abort_batch_reqs(fw);
> --
> 2.36.0.rc2.479.g8af0fa9b8e-goog
>
Powered by blists - more mailing lists