| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2023102730-twins-thieving-d04e@gregkh>
Date: Fri, 27 Oct 2023 13:11:51 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Yu Wang <quic_yyuwang@...cinc.com>
Cc: johannes@...solutions.net, rafael@...nel.org,
linux-kernel@...r.kernel.org, kernel@...cinc.com
Subject: Re: [PATCH] Devcoredump: fix use-after-free issue when releasing
devcd device
On Thu, Oct 26, 2023 at 10:55:21PM -0700, Yu Wang wrote:
> With sample code as below, it may hit use-after-free issue when
> releasing devcd device.
>
> struct my_coredump_state {
> struct completion dump_done;
> ...
> };
>
> static void my_coredump_free(void *data)
> {
> struct my_coredump_state *dump_state = data;
> ...
> complete(&dump_state->dump_done);
> }
>
> static void my_dev_release(struct device *dev)
> {
> kfree(dev);
> }
>
> static void my_coredump()
> {
> struct my_coredump_state dump_state;
> struct device *new_device =
> kzalloc(sizeof(*new_device), GFP_KERNEL);
>
> ...
> new_device->release = my_dev_release;
> device_initialize(new_device);
> ...
> device_add(new_device);
> ...
> init_completion(&dump_state.dump_done);
> dev_coredumpm(new_device, NULL, &dump_state, datalen, GFP_KERNEL,
> my_coredump_read, my_coredump_free);
> wait_for_completion(&dump_state.dump_done);
> device_del(new_device);
> put_device(new_device);
> }
Is there any in-kernel user like this? If so, why not fix them up to
not do this?
thanks,
greg k-h
Powered by blists - more mailing lists