lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 2 Jan 2023 14:51:56 +0100
From:   "Rafael J. Wysocki" <rafael@...nel.org>
To:     "Zhang, Rui" <rui.zhang@...el.com>
Cc:     "zh.nvgt@...il.com" <zh.nvgt@...il.com>,
        "rafael@...nel.org" <rafael@...nel.org>,
        "lenb@...nel.org" <lenb@...nel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-acpi@...r.kernel.org" <linux-acpi@...r.kernel.org>
Subject: Re: [PATCH] ACPI: custom_method: fix potential use-after-free issues

On Mon, Jan 2, 2023 at 2:42 PM Zhang, Rui <rui.zhang@...el.com> wrote:
>
> On Fri, 2022-12-30 at 19:31 +0100, Rafael J. Wysocki wrote:
> > On Tue, Dec 27, 2022 at 7:34 AM Hang Zhang <zh.nvgt@...il.com> wrote:
> > > cm_write() is the .write callback of the custom_method debugfs
> > > interface, it operates on a global pointer "buf" (e.g.,
> > > dereference,
> > > allocate, free, and nullification), the problem is that cm_write()
> > > is not protected by any locks, so concurrent invocations of it
> > > may cause use-after-free issues for "buf", e.g., one invocation
> > > may have just freed "buf" while being preempted before nullifying
> > > the pointer, then another invocation can dereference the now
> > > dangling
> > > "buf" pointer.
> > >
> > > Fix the issue by protecting the "buf" operations in cm_write() with
> > > the inode write lock. Note that the .llseek callback of the debugfs
> > > interface has been protected by the same lock, this patch basically
> > > introduces it to the .write callback as well.
> >
> > The problem is there, but the whole state is not protected from
> > concurrent use and the fix doesn't look sufficient to me (for
> > example,
> > a different writer may start writing into the file before the
> > previous
> > one has finished and the result will still be broken AFAICS).
> >
> > It looks like the file should be prevented from being opened by more
> > than one writer at a time.
> >
> > Or maybe it's time to drop this interface from the kernel altogether.
> >
> I still use this interface for debugging AML issues occasionally. Say,
> dumping the value of some key objects to see the AML code path.
>
> I'm not sure if there is any alternative way to do this, especially in
> remote debug case. (This can be done via DSDT override, but not all
> users have the knowledge of building a customized kernel)
>
> If this is not a problem, then I think it is safe to remove this
> interface because I suspect I am the only user of this interface.
> Because there are some special tricks I got from Erik, to make it fully
> work after some certain ACPICA release. And this is not documented in
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/firmware-guide/acpi/method-customizing.rst#n58
> Say, to generate the AML code of the method, we need to
> 1. compile the table with external declarations.
> 2. If step 1 compiles successfully, remove the external declarations
> from the table and compile with -f.

Interesting.

This basically means that ACPICA broke backwards compatibility with
this interface at one point and it's been necessary to work around
that manually since then and nobody cared to update the documentation.

Oh well.

Let me send a patch to remove it then and we'll see what happens.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ