| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALbr=Lav96pNT6mg5+h4LXtewxbwAo6J9hm+SGwwVy5i_tAYBQ@mail.gmail.com>
Date: Thu, 27 Nov 2025 23:00:16 +0800
From: Gui-Dong Han <hanguidong02@...il.com>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: rafael@...nel.org, dakr@...nel.org, linux-kernel@...r.kernel.org,
baijiaju1990@...il.com, Qiu-ji Chen <chenqiuji666@...il.com>
Subject: Re: [PATCH v2] driver core: fix use-after-free of driver_override via driver_match_device()
On Thu, Nov 27, 2025 at 5:16 PM Greg KH <gregkh@...uxfoundation.org> wrote:
>
> On Thu, Nov 27, 2025 at 12:00:11AM +0800, Gui-Dong Han wrote:
> > driver_set_override() modifies and frees dev->driver_override while
> > holding device_lock(dev). However, driver_match_device() reads
> > dev->driver_override when calling bus match functions.
> >
> > Currently, driver_match_device() is called from three sites. One site
> > (__device_attach_driver) holds device_lock(dev), but the other two
> > (bind_store and __driver_attach) do not. This allows a concurrent
> > driver_set_override() to free the string while driver_match_device() is
> > using it, leading to a use-after-free (UAF).
> >
> > This issue affects at least 11 bus types (including PCI, AMBA, Platform)
> > that rely on driver_override for matching.
> >
> > Fix this by holding device_lock(dev) around the driver_match_device() calls
> > in bind_store() and __driver_attach(). This ensures all access to
> > dev->driver_override via driver_match_device() is protected by the device
> > lock. Also add a lock assertion to driver_match_device() to prevent future
> > locking regressions.
> >
> > Tested with the PoCs from Bugzilla that trigger this UAF. Stress testing
> > the two newly locked paths for 24 hours with CONFIG_PROVE_LOCKING and
> > CONFIG_LOCKDEP enabled showed no UAF recurrence and no lockdep
> > warnings.
> >
> > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
> > Suggested-by: Qiu-ji Chen <chenqiuji666@...il.com>
> > Signed-off-by: Gui-Dong Han <hanguidong02@...il.com>
> > ---
> > v2:
> > * Add device_lock_assert() in driver_match_device() to enforce locking
> > requirement, as suggested by Greg KH.
> > v1:
> > * The Bugzilla entry contains full KASAN reports and two PoCs that reliably
> > reproduce the UAF on both unlocked paths using a standard QEMU setup
> > (default e1000 device at 0000:00:03.0).
> > I chose to fix this in the driver core for the following reasons:
> > 1. Both racing functions are part of the driver core.
> > 2. Fixing this per-driver/per-bus is tedious and would require careful
> > ad-hoc locking that does not align with the existing device_lock(dev).
> > 3. We cannot simply add device_lock(dev) inside bus match functions because
> > one call path (__device_attach_driver) already holds this lock. Adding the
> > lock inside the match callback would cause a deadlock on that path.
> > ---
> > drivers/base/base.h | 2 ++
> > drivers/base/bus.c | 17 ++++++++++++-----
> > drivers/base/dd.c | 3 +++
> > 3 files changed, 17 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/base/base.h b/drivers/base/base.h
> > index 86fa7fbb3548..011e910a53f8 100644
> > --- a/drivers/base/base.h
> > +++ b/drivers/base/base.h
> > @@ -166,6 +166,8 @@ void device_set_deferred_probe_reason(const struct device *dev, struct va_format
> > static inline int driver_match_device(const struct device_driver *drv,
> > struct device *dev)
> > {
> > + /* Protects against driver_set_override() races */
> > + device_lock_assert(dev);
> > return drv->bus->match ? drv->bus->match(dev, drv) : 1;
>
> A new line after the assert?
>
> And thanks for adding the comment, but:
>
> > }
> >
> > diff --git a/drivers/base/bus.c b/drivers/base/bus.c
> > index 5e75e1bce551..9e62d6009058 100644
> > --- a/drivers/base/bus.c
> > +++ b/drivers/base/bus.c
> > @@ -261,13 +261,20 @@ static ssize_t bind_store(struct device_driver *drv, const char *buf,
> > const struct bus_type *bus = bus_get(drv->bus);
> > struct device *dev;
> > int err = -ENODEV;
> > + int ret;
> >
> > dev = bus_find_device_by_name(bus, NULL, buf);
> > - if (dev && driver_match_device(drv, dev)) {
> > - err = device_driver_attach(drv, dev);
> > - if (!err) {
> > - /* success */
> > - err = count;
> > + if (dev) {
> > + /* Protects against driver_set_override() races */
>
> This comment isn't needed anymore.
>
> > + device_lock(dev);
> > + ret = driver_match_device(drv, dev);
> > + device_unlock(dev);
> > + if (ret) {
> > + err = device_driver_attach(drv, dev);
> > + if (!err) {
> > + /* success */
> > + err = count;
> > + }
> > }
> > }
> > put_device(dev);
> > diff --git a/drivers/base/dd.c b/drivers/base/dd.c
> > index 13ab98e033ea..db60b4500136 100644
> > --- a/drivers/base/dd.c
> > +++ b/drivers/base/dd.c
> > @@ -1170,7 +1170,10 @@ static int __driver_attach(struct device *dev, void *data)
> > * is an error.
> > */
> >
> > + /* Protects against driver_set_override() races */
>
> Nor is this one.
>
> Also, I looked again, and why are you not grabbing the lock in the
> bind_store() sysfs call? driver_match_device() is only called in 3
> places, 2 now have the lock held, and one does not. This feels wrong.
Actually, the change in drivers/base/bus.c is exactly for the
bind_store() path. So all 3 call sites are covered and locked with
this patch.
I have verified this with the PoC for bind_store(), and the new
lockdep assertion does not trigger any warnings, confirming the lock
is properly held.
I have just sent a v3 patch which adds the blank line and removes the
redundant comments as suggested.
Thanks,
Gui-Dong Han
Powered by blists - more mailing lists