lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAO2zrtbXDdWLhyZkJhisou4zxypxA-Fhpxx1Cop1ZXXf3oUxeA@mail.gmail.com>
Date:   Fri, 30 Dec 2022 18:28:20 -0500
From:   Hang Zhang <zh.nvgt@...il.com>
To:     "Rafael J. Wysocki" <rafael@...nel.org>
Cc:     Len Brown <lenb@...nel.org>, linux-acpi@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ACPI: custom_method: fix potential use-after-free issues

On Fri, Dec 30, 2022 at 1:31 PM Rafael J. Wysocki <rafael@...nel.org> wrote:
>
> On Tue, Dec 27, 2022 at 7:34 AM Hang Zhang <zh.nvgt@...il.com> wrote:
> >
> > cm_write() is the .write callback of the custom_method debugfs
> > interface, it operates on a global pointer "buf" (e.g., dereference,
> > allocate, free, and nullification), the problem is that cm_write()
> > is not protected by any locks, so concurrent invocations of it
> > may cause use-after-free issues for "buf", e.g., one invocation
> > may have just freed "buf" while being preempted before nullifying
> > the pointer, then another invocation can dereference the now dangling
> > "buf" pointer.
> >
> > Fix the issue by protecting the "buf" operations in cm_write() with
> > the inode write lock. Note that the .llseek callback of the debugfs
> > interface has been protected by the same lock, this patch basically
> > introduces it to the .write callback as well.
>
> The problem is there, but the whole state is not protected from
> concurrent use and the fix doesn't look sufficient to me (for example,
> a different writer may start writing into the file before the previous
> one has finished and the result will still be broken AFAICS).
>
> It looks like the file should be prevented from being opened by more
> than one writer at a time.
>
> Or maybe it's time to drop this interface from the kernel altogether.

Hi, Rafael,

Thank you very much for your feedback! We initially intended to bring
up this potential concurrent UAF issue to the community with this
tentative patch, but we do not have deep domain knowledge for the
ACPI subsystem and the bigger picture, so your comment is highly
valuable to us!

As far as I can understand, inode_lock is uniquely associated with
the opened file, e.g., if two writers open the same debugfs file
and write to it, then inode_lock as used in this patch should be
able to synchronize their concurrent write because their inode_lock
are on the same semaphore. Do you mean that this "custom_method"
driver will handle the .open/.write of multiple different debugfs
file instances, so that writers accessing different file instances
will not be properly synchronized with inode_lock? Sorry if I missed
anything here, and thank you in advance for your explanation!

I also think it is a good solution to totally drop this interface
if the maintainers consider it appropriate (I do not have
the knowledge to assess the role this interface plays, though).
Thank you for your help!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ