| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 May 2023 12:17:02 +0200
From: Geert Uytterhoeven <geert+renesas@...der.be>
To: Dmitry Torokhov <dmitry.torokhov@...il.com>,
Javier Martinez Canillas <javierm@...hat.com>,
Brendan Higgins <brendan.higgins@...ux.dev>,
David Gow <davidgow@...gle.com>
Cc: linux-input@...r.kernel.org, linux-kselftest@...r.kernel.org,
kunit-dev@...glegroups.com, linux-kernel@...r.kernel.org,
Geert Uytterhoeven <geert+renesas@...der.be>
Subject: [PATCH 1/2] Input: tests - fix use-after-free and refcount underflow in input_test_exit()
With CONFIG_DEBUG_SLAB=y:
# Subtest: input_core
1..3
input: Test input device as /devices/virtual/input/input1
8<--- cut here ---
Unable to handle kernel paging request at virtual address 6b6b6dd7 when read
...
__lock_acquire from lock_acquire+0x26c/0x300
lock_acquire from _raw_spin_lock_irqsave+0x50/0x64
_raw_spin_lock_irqsave from devres_remove+0x20/0x7c
devres_remove from devres_destroy+0x8/0x24
devres_destroy from input_free_device+0x2c/0x60
input_free_device from kunit_try_run_case+0x70/0x94 [kunit]
Without CONFIG_DEBUG_SLAB=y:
KTAP version 1
# Subtest: input_core
1..3
input: Test input device as /devices/virtual/input/input1
------------[ cut here ]------------
WARNING: CPU: 0 PID: 694 at lib/refcount.c:28 refcount_warn_saturate+0x54/0x100
refcount_t: underflow; use-after-free.
...
Call Trace: [<0037cad4>] dump_stack+0xc/0x10
[<00377614>] __warn+0x7e/0xb4
[<0037768c>] warn_slowpath_fmt+0x42/0x62
[<001eee1c>] refcount_warn_saturate+0x54/0x100
[<000b1d34>] kfree_const+0x0/0x20
[<0036290a>] __kobject_del+0x0/0x6e
[<001eee1c>] refcount_warn_saturate+0x54/0x100
[<00362a1a>] kobject_put+0xa2/0xb6
[<11965770>] kunit_generic_run_threadfn_adapter+0x0/0x1c [kunit]
As per the comments for input_allocate_device() and
input_register_device(), input_free_device() must be called only to free
devices that have not been registered. input_unregister_device()
already calls input_put_device(), thus leading to a use-after-free.
Moreover, the kunit_suite.exit() method is called after every test case,
even on failures. As the test itself already does cleanups in its
failure paths, this may lead to a second use-after-free.
Fix the first issue by dropping the call to input_allocate_device() from
input_test_exit().
Fix the second issue by making the cleanup code conditional on a
successful test.
Fixes: fdefcbdd6f361841 ("Input: Add KUnit tests for some of the input core helper functions")
Signed-off-by: Geert Uytterhoeven <geert+renesas@...der.be>
---
drivers/input/tests/input_test.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/input/tests/input_test.c b/drivers/input/tests/input_test.c
index e5a6c1ad2167c103..8b8ac3412a70d3b4 100644
--- a/drivers/input/tests/input_test.c
+++ b/drivers/input/tests/input_test.c
@@ -43,8 +43,8 @@ static void input_test_exit(struct kunit *test)
{
struct input_dev *input_dev = test->priv;
- input_unregister_device(input_dev);
- input_free_device(input_dev);
+ if (input_dev)
+ input_unregister_device(input_dev);
}
static void input_test_poll(struct input_dev *input) { }
--
2.34.1
Powered by blists - more mailing lists