lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 29 Jun 2022 21:23:01 +0800 (CST)
From:   "Liang He" <windhl@....com>
To:     "Pavel Machek" <pavel@...x.de>
Cc:     "Sasha Levin" <sashal@...nel.org>, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org,
        "Thomas Bogendoerfer" <tsbogend@...ha.franken.de>,
        yangtiezhu@...ngson.cn, linux-mips@...r.kernel.org
Subject: Re:Re: [PATCH AUTOSEL 4.9 11/13] mips/pic32/pic32mzda: Fix refcount
 leak bugs





At 2022-06-29 21:06:17, "Pavel Machek" <pavel@...x.de> wrote:
>Hi!
>
>> From: Liang He <windhl@....com>
>> 
>> [ Upstream commit eb9e9bc4fa5fb489c92ec588b3fb35f042ba6d86 ]
>> 
>> of_find_matching_node(), of_find_compatible_node() and
>> of_find_node_by_path() will return node pointers with refcout
>> incremented. We should call of_node_put() when they are not
>> used anymore.
>
>It looks like this may introduces an use-after-free bug:
>
>> +++ b/arch/mips/pic32/pic32mzda/init.c
>> @@ -131,13 +131,18 @@ static int __init pic32_of_prepare_platform_data(struct of_dev_auxdata *lookup)
>>  		np = of_find_compatible_node(NULL, NULL, lookup->compatible);
>>  		if (np) {
>>  			lookup->name = (char *)np->name;
>> -			if (lookup->phys_addr)
>> +			if (lookup->phys_addr) {
>> +				of_node_put(np);
>>  				continue;
>> +			}
>>  			if (!of_address_to_resource(np, 0, &res))
>>  				lookup->phys_addr = res.start;
>> +			of_node_put(np);
>>  		}
>>  	}
>
>lookup->name now contains pointer taken from np->name, but we did
>put() on the np. What guarantees np->name is not freed?
>
>Best regards,
>								Pavel

Hi, Pavel.

Thanks for you to review this patched code.

In fact, the |PUT| on 'np' will not lead to the |FREE|.
First, before calling of_find_compatible_node(), the target object's refcount must be >= 1, as the object is alive.
Then, after calling of_find_compatible_node(), its refcount must be >=2.
So, after calling of_node_put(np), its refcount must be still >=1.

In fact, these |PUT|s are just used to keep refcount balance for the |GET| in of_find_compatible_node().

If there is anything wrong, please correct me.

Thans very much to review my patch code.

Liang

>-- 
>DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
>HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ