lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20221227063335.61474-1-zh.nvgt@gmail.com>
Date:   Mon, 26 Dec 2022 22:33:35 -0800
From:   Hang Zhang <zh.nvgt@...il.com>
To:     unlisted-recipients:; (no To-header on input)
Cc:     "Rafael J . Wysocki" <rafael@...nel.org>,
        Len Brown <lenb@...nel.org>, linux-acpi@...r.kernel.org,
        linux-kernel@...r.kernel.org, Hang Zhang <zh.nvgt@...il.com>
Subject: [PATCH] ACPI: custom_method: fix potential use-after-free issues

cm_write() is the .write callback of the custom_method debugfs
interface, it operates on a global pointer "buf" (e.g., dereference,
allocate, free, and nullification), the problem is that cm_write()
is not protected by any locks, so concurrent invocations of it
may cause use-after-free issues for "buf", e.g., one invocation
may have just freed "buf" while being preempted before nullifying
the pointer, then another invocation can dereference the now dangling
"buf" pointer.

Fix the issue by protecting the "buf" operations in cm_write() with
the inode write lock. Note that the .llseek callback of the debugfs
interface has been protected by the same lock, this patch basically
introduces it to the .write callback as well.

Signed-off-by: Hang Zhang <zh.nvgt@...il.com>
---
 drivers/acpi/custom_method.c | 43 +++++++++++++++++++++++++-----------
 1 file changed, 30 insertions(+), 13 deletions(-)

diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
index d39a9b474727..e3de5a06d903 100644
--- a/drivers/acpi/custom_method.c
+++ b/drivers/acpi/custom_method.c
@@ -29,28 +29,38 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf,
 	struct acpi_table_header table;
 	acpi_status status;
 	int ret;
+	struct inode *inode = file_inode(file);
 
 	ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
 	if (ret)
 		return ret;
 
+	inode_lock(inode);
 	if (!(*ppos)) {
 		/* parse the table header to get the table length */
-		if (count <= sizeof(struct acpi_table_header))
-			return -EINVAL;
+		if (count <= sizeof(struct acpi_table_header)) {
+			ret = -EINVAL;
+			goto err;
+		}
 		if (copy_from_user(&table, user_buf,
-				   sizeof(struct acpi_table_header)))
-			return -EFAULT;
+				   sizeof(struct acpi_table_header))) {
+			ret = -EFAULT;
+			goto err;
+		}
 		uncopied_bytes = max_size = table.length;
 		/* make sure the buf is not allocated */
 		kfree(buf);
 		buf = kzalloc(max_size, GFP_KERNEL);
-		if (!buf)
-			return -ENOMEM;
+		if (!buf) {
+			ret = -ENOMEM;
+			goto err;
+		}
 	}
 
-	if (buf == NULL)
-		return -EINVAL;
+	if (buf == NULL) {
+		ret = -EINVAL;
+		goto err;
+	}
 
 	if ((*ppos > max_size) ||
 	    (*ppos + count > max_size) ||
@@ -58,13 +68,15 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf,
 	    (count > uncopied_bytes)) {
 		kfree(buf);
 		buf = NULL;
-		return -EINVAL;
+		ret = -EINVAL;
+		goto err;
 	}
 
 	if (copy_from_user(buf + (*ppos), user_buf, count)) {
 		kfree(buf);
 		buf = NULL;
-		return -EFAULT;
+		ret = -EFAULT;
+		goto err;
 	}
 
 	uncopied_bytes -= count;
@@ -74,12 +86,17 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf,
 		status = acpi_install_method(buf);
 		kfree(buf);
 		buf = NULL;
-		if (ACPI_FAILURE(status))
-			return -EINVAL;
+		if (ACPI_FAILURE(status)) {
+			ret = -EINVAL;
+			goto err;
+		}
 		add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE);
 	}
 
-	return count;
+	ret = count;
+err:
+	inode_unlock(inode);
+	return ret;
 }
 
 static const struct file_operations cm_fops = {
-- 
2.39.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ