lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YmlQy7jnIY6Wh7/2@kroah.com>
Date:   Wed, 27 Apr 2022 16:18:51 +0200
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Qian Cai <quic_qiancai@...cinc.com>
Cc:     ThiƩbaud Weksteen <tweek@...gle.com>,
        Luis Chamberlain <mcgrof@...nel.org>,
        Jeffrey Vander Stoep <jeffv@...gle.com>,
        Saravana Kannan <saravanak@...gle.com>,
        Alistair Delva <adelva@...gle.com>,
        Adam Shih <adamshih@...gle.com>, selinux@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] firmware_loader: use kernel credentials when reading
 firmware

On Wed, Apr 27, 2022 at 09:58:23AM -0400, Qian Cai wrote:
> On Fri, Apr 22, 2022 at 11:32:15AM +1000, ThiƩbaud Weksteen wrote:
> >  drivers/base/firmware_loader/main.c | 16 ++++++++++++++++
> >  1 file changed, 16 insertions(+)
> > 
> > diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
> > index 94d1789a233e..8f3c2b2cfc61 100644
> > --- a/drivers/base/firmware_loader/main.c
> > +++ b/drivers/base/firmware_loader/main.c
> > @@ -735,6 +735,8 @@ _request_firmware(const struct firmware **firmware_p, const char *name,
> >  		  size_t offset, u32 opt_flags)
> >  {
> >  	struct firmware *fw = NULL;
> > +	struct cred *kern_cred = NULL;
> > +	const struct cred *old_cred;
> >  	bool nondirect = false;
> >  	int ret;
> >  
> > @@ -751,6 +753,18 @@ _request_firmware(const struct firmware **firmware_p, const char *name,
> >  	if (ret <= 0) /* error or already assigned */
> >  		goto out;
> >  
> > +	/*
> > +	 * We are about to try to access the firmware file. Because we may have been
> > +	 * called by a driver when serving an unrelated request from userland, we use
> > +	 * the kernel credentials to read the file.
> > +	 */
> > +	kern_cred = prepare_kernel_cred(NULL);
> 
> This triggers quite some leak reports from kmemleak.
> 
> unreferenced object 0xffff0801e47690c0 (size 176):
>   comm "kworker/0:1", pid 14, jiffies 4294904047 (age 2208.624s)
>   hex dump (first 32 bytes):
>     01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>      kmem_cache_alloc
>      prepare_kernel_cred
>      _request_firmware
>      firmware_request_nowarn
>      firmware_request_nowarn at drivers/base/firmware_loader/main.c:933
>      nvkm_firmware_get [nouveau]
>      nvkm_firmware_get at drivers/gpu/drm/nouveau/nvkm/core/firmware.c:92
>      nvkm_firmware_load_name [nouveau]
>      nvkm_acr_lsfw_load_bl_inst_data_sig [nouveau]
>      gm200_gr_load [nouveau]
>      gf100_gr_new_ [nouveau]
>      tu102_gr_new [nouveau]
>      nvkm_device_ctor [nouveau]
>      nvkm_device_pci_new [nouveau]
>      nouveau_drm_probe [nouveau]
>      local_pci_probe
>      work_for_cpu_fn
>      process_one_work

Ugh, yeah, a put_cred() is not called after this.

I'll go revert this commit for now as it needs more work.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ