| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Apr 2022 16:18:51 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Qian Cai <quic_qiancai@...cinc.com>
Cc: ThiƩbaud Weksteen <tweek@...gle.com>,
Luis Chamberlain <mcgrof@...nel.org>,
Jeffrey Vander Stoep <jeffv@...gle.com>,
Saravana Kannan <saravanak@...gle.com>,
Alistair Delva <adelva@...gle.com>,
Adam Shih <adamshih@...gle.com>, selinux@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] firmware_loader: use kernel credentials when reading
firmware
On Wed, Apr 27, 2022 at 09:58:23AM -0400, Qian Cai wrote:
> On Fri, Apr 22, 2022 at 11:32:15AM +1000, ThiƩbaud Weksteen wrote:
> > drivers/base/firmware_loader/main.c | 16 ++++++++++++++++
> > 1 file changed, 16 insertions(+)
> >
> > diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
> > index 94d1789a233e..8f3c2b2cfc61 100644
> > --- a/drivers/base/firmware_loader/main.c
> > +++ b/drivers/base/firmware_loader/main.c
> > @@ -735,6 +735,8 @@ _request_firmware(const struct firmware **firmware_p, const char *name,
> > size_t offset, u32 opt_flags)
> > {
> > struct firmware *fw = NULL;
> > + struct cred *kern_cred = NULL;
> > + const struct cred *old_cred;
> > bool nondirect = false;
> > int ret;
> >
> > @@ -751,6 +753,18 @@ _request_firmware(const struct firmware **firmware_p, const char *name,
> > if (ret <= 0) /* error or already assigned */
> > goto out;
> >
> > + /*
> > + * We are about to try to access the firmware file. Because we may have been
> > + * called by a driver when serving an unrelated request from userland, we use
> > + * the kernel credentials to read the file.
> > + */
> > + kern_cred = prepare_kernel_cred(NULL);
>
> This triggers quite some leak reports from kmemleak.
>
> unreferenced object 0xffff0801e47690c0 (size 176):
> comm "kworker/0:1", pid 14, jiffies 4294904047 (age 2208.624s)
> hex dump (first 32 bytes):
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> kmem_cache_alloc
> prepare_kernel_cred
> _request_firmware
> firmware_request_nowarn
> firmware_request_nowarn at drivers/base/firmware_loader/main.c:933
> nvkm_firmware_get [nouveau]
> nvkm_firmware_get at drivers/gpu/drm/nouveau/nvkm/core/firmware.c:92
> nvkm_firmware_load_name [nouveau]
> nvkm_acr_lsfw_load_bl_inst_data_sig [nouveau]
> gm200_gr_load [nouveau]
> gf100_gr_new_ [nouveau]
> tu102_gr_new [nouveau]
> nvkm_device_ctor [nouveau]
> nvkm_device_pci_new [nouveau]
> nouveau_drm_probe [nouveau]
> local_pci_probe
> work_for_cpu_fn
> process_one_work
Ugh, yeah, a put_cred() is not called after this.
I'll go revert this commit for now as it needs more work.
thanks,
greg k-h
Powered by blists - more mailing lists