| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <878ra3m5my.fsf@nvidia.com>
Date: Tue, 22 Aug 2023 08:57:41 -0700
From: Rahul Rameshbabu <rrameshbabu@...dia.com>
To: Maxime Ripard <mripard@...nel.org>
Cc: syzbot <syzbot+3a0ebe8a52b89c63739d@...kaller.appspotmail.com>,
davidgow@...gle.com, dmitry.torokhov@...il.com,
gregkh@...uxfoundation.org, linux-input@...r.kernel.org,
linux-kernel@...r.kernel.org, rydberg@...math.org,
syzkaller-bugs@...glegroups.com, benjamin.tissoires@...hat.com
Subject: Re: [syzbot] [input?] KASAN: slab-use-after-free Read in
input_dev_uevent
Hi Maxime,
On Tue, 22 Aug, 2023 11:12:28 +0200 Maxime Ripard <mripard@...nel.org> wrote:
> Hi,
>
> So, we discussed it this morning with Benjamin, and I think the culprit
> is that the uclogic driver will allocate a char array with devm_kzalloc
> in uclogic_input_configured()
> (https://elixir.bootlin.com/linux/latest/source/drivers/hid/hid-uclogic-core.c#L149),
> and will assign input_dev->name to that pointer.
>
> When the device is removed, the devm-allocated array is freed, and the
> input framework will send a uevent in input_dev_uevent() using the
> input_dev->name field:
>
> https://elixir.bootlin.com/linux/latest/source/drivers/input/input.c#L1688
>
> So it's a classic dangling pointer situation.
>
> And even though it was revealed by that patch, I think the issue is
> unrelated. The fundamental issue seems to be that the usage of devm in
> that situation is wrong.
>
> input_dev->name is accessed by input_dev_uevent, which for KOBJ_UNBIND
> and KOBJ_REMOVE will be called after remove.
>
> For example, in __device_release_driver() (with the driver remove hook
> being called in device_remove() and devres_release_all() being called in
> device_unbind_cleanup()):
> https://elixir.bootlin.com/linux/latest/source/drivers/base/dd.c#L1278
>
> So, it looks to me that, with or without the patch we merged recently,
> the core has always sent uevent after device-managed resources were
> freed. Thus, the uclogic (and any other input driver) was wrong in
> allocating its input_dev name with devm_kzalloc (or the phys and uniq
> fields in that struct).
>
> Note that freeing input_dev->name in remove would have been just as bad.
>
> Looking at the code quickly, at least hid-playstation,
> hid-nvidia-shield, hid-logitech-hidpp, mms114 and tsc200x seem to be
> affected by the same issue.
I agree with this analysis overall. At least in hid-nvidia-shield, I can
not use devm for allocating the input name string and explicitly free it
after calling input_unregister_device. In this scenario, the name string
would have been freed explicitly after input_put_device was called
(since the input device is not devres managed). input_put_device would
drop the reference count to zero and the device would be cleaned up at
that point triggering KOBJ_REMOVE and firing off that final
input_dev_uevent.
I think this can be done for a number of the drivers as a workaround
till this issue is properly resolved. If this seems appropriate, I can
send out a series later in the day. This is just a workaround till the
discussion below converges (which I am interested in).
>
> We discussed a couple of solutions with Benjamin, such as creating a
> helper devm action to free and clear the input_dev->name field, droping
> the name, phys and uniq fields from the uevent, or converting name, phys
> and uniq to char arrays so drivers don't have to allocate them.
>
> We couldn't find a perfect one though, so... yeah.
>
> Maxime
--
Thanks,
Rahul Rameshbabu
Powered by blists - more mailing lists