When device_register() return failed, program will goto out_kfree_type
to release 'cdev->device' by put_device(). That will call thermal_release()
to free 'cdev'. But the follow-up processes access 'cdev' continually.
That trggers the UAF bug.
====================================================================
BUG: KASAN: use-after-free in __thermal_cooling_device_register+0x75b/0xa90
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
dump_stack_lvl+0xe2/0x152
print_address_description.constprop.0+0x21/0x140
? __thermal_cooling_device_register+0x75b/0xa90
kasan_report.cold+0x7f/0x11b
? __thermal_cooling_device_register+0x75b/0xa90
__thermal_cooling_device_register+0x75b/0xa90
? memset+0x20/0x40
? __sanitizer_cov_trace_pc+0x1d/0x50
? __devres_alloc_node+0x130/0x180
devm_thermal_of_cooling_device_register+0x67/0xf0
max6650_probe.cold+0x557/0x6aa
......
Freed by task 258:
kasan_save_stack+0x1b/0x40
kasan_set_track+0x1c/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0x109/0x140
kfree+0x117/0x4c0
thermal_release+0xa0/0x110
device_release+0xa7/0x240
kobject_put+0x1ce/0x540
put_device+0x20/0x30
__thermal_cooling_device_register+0x731/0xa90
devm_thermal_of_cooling_device_register+0x67/0xf0
max6650_probe.cold+0x557/0x6aa [max6650]
Do not use 'cdev' again after put_device() to fix the problem like doing
in thermal_zone_device_register().
Fixes: 584837618100 ("thermal/drivers/core: Use a char pointer for the cooling device name")
Signed-off-by: Ziyang Xuan <[email protected]>
Reported-by: kernel test robot <[email protected]>
Reported-by: kernel test robot <[email protected]>
---
drivers/thermal/thermal_core.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
index 97ef9b040b84..d2c196b298c1 100644
--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
@@ -888,7 +888,7 @@ __thermal_cooling_device_register(struct device_node *np,
{
struct thermal_cooling_device *cdev;
struct thermal_zone_device *pos = NULL;
- int ret;
+ int id, ret;
if (!ops || !ops->get_max_state || !ops->get_cur_state ||
!ops->set_cur_state)
@@ -901,7 +901,7 @@ __thermal_cooling_device_register(struct device_node *np,
ret = ida_simple_get(&thermal_cdev_ida, 0, 0, GFP_KERNEL);
if (ret < 0)
goto out_kfree_cdev;
- cdev->id = ret;
+ cdev->id = id = ret;
cdev->type = kstrdup(type ? type : "", GFP_KERNEL);
if (!cdev->type) {
@@ -942,8 +942,9 @@ __thermal_cooling_device_register(struct device_node *np,
out_kfree_type:
kfree(cdev->type);
put_device(&cdev->device);
+ cdev = NULL;
out_ida_remove:
- ida_simple_remove(&thermal_cdev_ida, cdev->id);
+ ida_simple_remove(&thermal_cdev_ida, id);
out_kfree_cdev:
kfree(cdev);
return ERR_PTR(ret);
--
2.25.1
On Fri, Oct 15, 2021 at 4:46 AM Ziyang Xuan
<[email protected]> wrote:
>
> When device_register() return failed, program will goto out_kfree_type
> to release 'cdev->device' by put_device(). That will call thermal_release()
> to free 'cdev'. But the follow-up processes access 'cdev' continually.
> That trggers the UAF bug.
>
> ====================================================================
> BUG: KASAN: use-after-free in __thermal_cooling_device_register+0x75b/0xa90
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
> dump_stack_lvl+0xe2/0x152
> print_address_description.constprop.0+0x21/0x140
> ? __thermal_cooling_device_register+0x75b/0xa90
> kasan_report.cold+0x7f/0x11b
> ? __thermal_cooling_device_register+0x75b/0xa90
> __thermal_cooling_device_register+0x75b/0xa90
> ? memset+0x20/0x40
> ? __sanitizer_cov_trace_pc+0x1d/0x50
> ? __devres_alloc_node+0x130/0x180
> devm_thermal_of_cooling_device_register+0x67/0xf0
> max6650_probe.cold+0x557/0x6aa
> ......
>
> Freed by task 258:
> kasan_save_stack+0x1b/0x40
> kasan_set_track+0x1c/0x30
> kasan_set_free_info+0x20/0x30
> __kasan_slab_free+0x109/0x140
> kfree+0x117/0x4c0
> thermal_release+0xa0/0x110
> device_release+0xa7/0x240
> kobject_put+0x1ce/0x540
> put_device+0x20/0x30
> __thermal_cooling_device_register+0x731/0xa90
> devm_thermal_of_cooling_device_register+0x67/0xf0
> max6650_probe.cold+0x557/0x6aa [max6650]
>
> Do not use 'cdev' again after put_device() to fix the problem like doing
> in thermal_zone_device_register().
>
> Fixes: 584837618100 ("thermal/drivers/core: Use a char pointer for the cooling device name")
> Signed-off-by: Ziyang Xuan <[email protected]>
> Reported-by: kernel test robot <[email protected]>
> Reported-by: kernel test robot <[email protected]>
> ---
> drivers/thermal/thermal_core.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
> index 97ef9b040b84..d2c196b298c1 100644
> --- a/drivers/thermal/thermal_core.c
> +++ b/drivers/thermal/thermal_core.c
> @@ -888,7 +888,7 @@ __thermal_cooling_device_register(struct device_node *np,
> {
> struct thermal_cooling_device *cdev;
> struct thermal_zone_device *pos = NULL;
> - int ret;
> + int id, ret;
>
> if (!ops || !ops->get_max_state || !ops->get_cur_state ||
> !ops->set_cur_state)
> @@ -901,7 +901,7 @@ __thermal_cooling_device_register(struct device_node *np,
> ret = ida_simple_get(&thermal_cdev_ida, 0, 0, GFP_KERNEL);
> if (ret < 0)
> goto out_kfree_cdev;
> - cdev->id = ret;
> + cdev->id = id = ret;
I'd prefer this to be two statements, but I can fix it up.
Daniel, would there be any issues if I applied it?
>
> cdev->type = kstrdup(type ? type : "", GFP_KERNEL);
> if (!cdev->type) {
> @@ -942,8 +942,9 @@ __thermal_cooling_device_register(struct device_node *np,
> out_kfree_type:
> kfree(cdev->type);
> put_device(&cdev->device);
> + cdev = NULL;
> out_ida_remove:
> - ida_simple_remove(&thermal_cdev_ida, cdev->id);
> + ida_simple_remove(&thermal_cdev_ida, id);
> out_kfree_cdev:
> kfree(cdev);
> return ERR_PTR(ret);
> --
> 2.25.1
>
> On Fri, Oct 15, 2021 at 4:46 AM Ziyang Xuan
> <[email protected]> wrote:
>>
>> When device_register() return failed, program will goto out_kfree_type
>> to release 'cdev->device' by put_device(). That will call thermal_release()
>> to free 'cdev'. But the follow-up processes access 'cdev' continually.
>> That trggers the UAF bug.
>>
>> ====================================================================
>> BUG: KASAN: use-after-free in __thermal_cooling_device_register+0x75b/0xa90
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
>> Call Trace:
>> dump_stack_lvl+0xe2/0x152
>> print_address_description.constprop.0+0x21/0x140
>> ? __thermal_cooling_device_register+0x75b/0xa90
>> kasan_report.cold+0x7f/0x11b
>> ? __thermal_cooling_device_register+0x75b/0xa90
>> __thermal_cooling_device_register+0x75b/0xa90
>> ? memset+0x20/0x40
>> ? __sanitizer_cov_trace_pc+0x1d/0x50
>> ? __devres_alloc_node+0x130/0x180
>> devm_thermal_of_cooling_device_register+0x67/0xf0
>> max6650_probe.cold+0x557/0x6aa
>> ......
>>
>> Freed by task 258:
>> kasan_save_stack+0x1b/0x40
>> kasan_set_track+0x1c/0x30
>> kasan_set_free_info+0x20/0x30
>> __kasan_slab_free+0x109/0x140
>> kfree+0x117/0x4c0
>> thermal_release+0xa0/0x110
>> device_release+0xa7/0x240
>> kobject_put+0x1ce/0x540
>> put_device+0x20/0x30
>> __thermal_cooling_device_register+0x731/0xa90
>> devm_thermal_of_cooling_device_register+0x67/0xf0
>> max6650_probe.cold+0x557/0x6aa [max6650]
>>
>> Do not use 'cdev' again after put_device() to fix the problem like doing
>> in thermal_zone_device_register().
>>
>> Fixes: 584837618100 ("thermal/drivers/core: Use a char pointer for the cooling device name")
>> Signed-off-by: Ziyang Xuan <[email protected]>
>> Reported-by: kernel test robot <[email protected]>
>> Reported-by: kernel test robot <[email protected]>
>> ---
>> drivers/thermal/thermal_core.c | 7 ++++---
>> 1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
>> index 97ef9b040b84..d2c196b298c1 100644
>> --- a/drivers/thermal/thermal_core.c
>> +++ b/drivers/thermal/thermal_core.c
>> @@ -888,7 +888,7 @@ __thermal_cooling_device_register(struct device_node *np,
>> {
>> struct thermal_cooling_device *cdev;
>> struct thermal_zone_device *pos = NULL;
>> - int ret;
>> + int id, ret;
>>
>> if (!ops || !ops->get_max_state || !ops->get_cur_state ||
>> !ops->set_cur_state)
>> @@ -901,7 +901,7 @@ __thermal_cooling_device_register(struct device_node *np,
>> ret = ida_simple_get(&thermal_cdev_ida, 0, 0, GFP_KERNEL);
>> if (ret < 0)
>> goto out_kfree_cdev;
>> - cdev->id = ret;
>> + cdev->id = id = ret;
>
> I'd prefer this to be two statements, but I can fix it up.
>
> Daniel, would there be any issues if I applied it?
>
OK, no problem.
>>
>> cdev->type = kstrdup(type ? type : "", GFP_KERNEL);
>> if (!cdev->type) {
>> @@ -942,8 +942,9 @@ __thermal_cooling_device_register(struct device_node *np,
>> out_kfree_type:
>> kfree(cdev->type);
>> put_device(&cdev->device);
>> + cdev = NULL;
>> out_ida_remove:
>> - ida_simple_remove(&thermal_cdev_ida, cdev->id);
>> + ida_simple_remove(&thermal_cdev_ida, id);
>> out_kfree_cdev:
>> kfree(cdev);
>> return ERR_PTR(ret);
>> --
>> 2.25.1
>>
> .
>