lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CABb+yY39rhTZbtA21MecYk-R9fh7VQQr5kZUgCw4z92mWhZ1Rg@mail.gmail.com>
Date: Sat, 24 Jan 2026 19:42:18 -0600
From: Jassi Brar <jassisinghbrar@...il.com>
To: Joonwon Kang <joonwonkang@...gle.com>
Cc: thierry.reding@...il.com, alexey.klimov@....com, sudeep.holla@....com, 
	jonathanh@...dia.com, linux-kernel@...r.kernel.org, 
	linux-tegra@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH 1/2 RESEND] mailbox: Use per-thread completion to fix
 wrong completion order

On Tue, Dec 16, 2025 at 2:43 AM Joonwon Kang <joonwonkang@...gle.com> wrote:
>
> Previously, a sender thread in mbox_send_message() could be woken up at
> a wrong time in blocking mode. It is because there was only a single
> completion for a channel whereas messages from multiple threads could be
> sent on the same channel in any order; since the shared completion could
> be signalled in any order, it could wake up a wrong sender thread.
>
> This commit resolves the false wake-up issue with the following changes:
> - Completions are created just as many as the number of concurrent sender
>   threads
> - A completion is created on a sender thread's stack
> - Each slot of the message queue, i.e. `msg_data`, contains a pointer to
>   its target completion
> - tx_tick() signals the completion of the currently active slot of the
>   message queue
>
Mailbox API does not support shared channels. Each channel is supposed
to be owned by one client. Though a client can serve multiple users of
the channel, but then it will have to serialize access to the channel.
The implication is mailbox_send_message should not be called before
the last call returns (in blocking mode).
Even with this patch, consider when threadA is active and threadB too
is waiting next. If the tx_tout races with threadA's transmission,
threadB may timeout and call tx_tick() on the channel thereby
affecting threadA. Which also eventually proceeds to complete on
threadB's tx_complete which was on the stack and hence no more exists
thereby causing UAF. So if you have multiple users in blocking mode,
have a local queuing mechanism.

Thanks.
Jassi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ