| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 13 Nov 2022 11:03:20 +0200
From: Eli Billauer <eli.billauer@...il.com>
To: Hyunwoo Kim <imv4bel@...il.com>
Cc: gregkh@...uxfoundation.org, arnd@...db.de,
linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org,
stern@...land.harvard.edu
Subject: Re: [PATCH v2] char: xillybus: Prevent use-after-free due to race
condition
On 13/11/2022 10:47, Hyunwoo Kim wrote:
> And, even if the mutex_unlock(&unit_mutex); of xillybus_find_inode()
> is finally moved, xdev may be released before kref_get() is executed
> if xillyusb_disconnect() ends just before the function returns.
> (Of course, this is an extremely rare case.)
>
> So, in xillyusb_open() we need to move kref_get() above xillybus_find_inode().
First of all, that's impossible. kref_get() is called on a member of a
specific @xdev's struct, and it's xillybus_find_inode()'s job to find
it. So before the call to xillybus_find_inode(), we don't know which
@xdev it is. That's the tricky part of all this.
The solution of this submitted patch was a lock that briefly prevents
the kref_put() of all @xdevs. The way it works is that if an @xdev is
found by xillybus_find_inode(), it necessarily means that
xillyusb_disconnect()'s call to xillybus_cleanup_chrdev() hasn't
returned (yet). Therefore, holding @kref_mutex guarantees that the
kref_put() call, which is later on, isn't reached for the @xdev that has
been found.
If you've found a flaw in this mechanism, please be more specific about it.
Regards,
Eli
Powered by blists - more mailing lists