lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2023103119-litigator-yonder-6ee1@gregkh>
Date:   Tue, 31 Oct 2023 14:02:43 +0100
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Mukesh Ojha <quic_mojha@...cinc.com>
Cc:     Johannes Berg <johannes@...solutions.net>,
        Yu Wang <quic_yyuwang@...cinc.com>, rafael@...nel.org,
        linux-kernel@...r.kernel.org, kernel@...cinc.com
Subject: Re: [PATCH] Devcoredump: fix use-after-free issue when releasing
 devcd device

On Tue, Oct 31, 2023 at 06:16:08PM +0530, Mukesh Ojha wrote:
> 
> 
> On 10/31/2023 2:29 PM, Johannes Berg wrote:
> > On Tue, 2023-10-31 at 16:29 +0800, Yu Wang wrote:
> > > 
> > > In this case, the device is temporarily added for dump only, so we need to
> > > delete it when dump is completed.
> > > The other users doesn't add/delete the device like this.
> > 
> > For good reason, I guess? I think this is probably a bad idea.
> > 
> > The whole point of this was to actually know which device created the
> > coredump? If you make one up on the fly that's ... pointless? Surely you
> > must have _some_ device that already exists?
> 
> Passing device name to be user space looks to be the reason.

Wait, again, why are you creating a fake device just to dump data?
That's not what this api is for at all, why are you abusing it in ways
it was not designed to be used?

And I will strongly argue, that if no in-kernel users are having
problems, perhaps it is your out-of-tree code?

Unless you can show any in-kernel user of this trigging the issue, I
don't think there's anything we need to do here, do you?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ