Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp4857334imd;
        Tue, 30 Oct 2018 08:23:46 -0700 (PDT)
X-Google-Smtp-Source: AJdET5eyFf5OwWBQjL8Lvpb6SgI93ADQNRMxDN0ah6GsXcqxMhWtsFoBhOO6kXER7ANDrBPbs+31
X-Received: by 2002:a17:902:f209:: with SMTP id gn9mr18435946plb.6.1540913026529;
        Tue, 30 Oct 2018 08:23:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540913026; cv=none;
        d=google.com; s=arc-20160816;
        b=lVXJv1jj4SUMdUoUcNbUf2TBFA+Jw7yltXlxDLCIatc+ivNRZ6qntDuRSlP9MpfCqz
         Rih0sBpf6EaBGJTQEa8vdRbWb9TQLQbPtKoauNCaMFSE2yWahaZVIrGfzYovtp+U1o3g
         yUyLYmnZbcElvKgt56Lul4OwXBVs6wIVooPWNO1e6jnEduEGxqTmq6iT/rc9R3dOe2U5
         YM/zBLFXlvxEhfelLNRrAwGDqu5KTxFaZ+DqfJKtwJdGZeJWMgPkU4FvexljtTZoHWxX
         FVVdHEsWCpflRBWVt/YLhAIZ5lJ8nfg19lm0tRTkwfZWamXVf1NxnA2c7MsSbuZHyy3H
         kEbg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=9mWsTcPqMY0qr/vSPSqluFvmjGHdFxVw9fd9KQt4RmY=;
        b=Vd2C94oZOdcx2JxrlR2rKjwPVTsZrQD3Aiecj3MAgD9Lzp+bi0clD+OQoUj1UaXVIo
         yS1/C5o2bUhW3gLjrm+pErXXEfRwijnYaWX0a5/AkTtFh79p+Ldg/p0ORq4oUApdBk51
         b7fjW6CIcg32K6WUXO1fVI/Vt6+onWJ3wPErNmXABf/ObGLfmR/Mqi7Tg2nBSftcnE3y
         LJPkG2ECvrMU61OjqJAyf0Qh0jjwU43x9zfjphlNImroUOVCTLybHOhIKrKqz5ZcbQAB
         wOHd/PDJmXVBZSguGn28BvQ+js+rvgFEbunz0VYAxTsNWQHhql4YRWa8nzXWPchcfA8Z
         zLoA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=N5iLZPd5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z184-v6si26940503pgz.504.2018.10.30.08.23.20;
        Tue, 30 Oct 2018 08:23:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=N5iLZPd5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726679AbeJaAQm (ORCPT <rfc822;xiaochao379261131@gmail.com>
        + 99 others); Tue, 30 Oct 2018 20:16:42 -0400
Received: from mail-pf1-f193.google.com ([209.85.210.193]:38962 "EHLO
        mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725988AbeJaAQm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 30 Oct 2018 20:16:42 -0400
Received: by mail-pf1-f193.google.com with SMTP id c25-v6so6006431pfe.6;
        Tue, 30 Oct 2018 08:22:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=9mWsTcPqMY0qr/vSPSqluFvmjGHdFxVw9fd9KQt4RmY=;
        b=N5iLZPd5Fr43f/a6dZb3Jy9HMZ9bMo6KZ1JAmhnoZSWtfA1G9W8580Ra/ccEXAvuCs
         P0jRCEWtli1tkYmGf0ERFSJBoQFHVszl41Dm6tlOfnSRqN6ABRzIeYLpz0ifW8rRz8gV
         VoA2gVourvPfCT8tBteICks5AMjYQ88PCXalbHL1rv6+W4V67SCrAXi5m0iZw/7jsRzC
         8p8aoJJRjc98+esImPkSXoCscGrK8STnxZMQKfzt8T6zJGZE4+0zhXgr0tS5gYKnSldH
         Xs0OnoD8L+JTxe/zQx4HDPxJMNAdP6B++VrIWZtMy7jYlbIq6GNxToCE0PjFfq69a8N5
         tUbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=9mWsTcPqMY0qr/vSPSqluFvmjGHdFxVw9fd9KQt4RmY=;
        b=YrPsXtpw8NwPOEP5TfFRqztpJFoAKgpGDUANwWNDjrdrHSwOvGadA6WxsFBM5OrI4+
         LbrjFIKaAQD2wrBHi3KvjtSrYkmYQpCyrKMOMD+ltTR+K0vcWBJaKVlN6GpKFYsXfqlg
         YbIOB+KqOhFTjY6V9PZzkuwlO5aRPSjz3DPzcqEzt46plB2WX2c0uLgA3os3AmK8H2vb
         0muI6w3Q87F1EQ0hhlgBzUI+ewLM5jMsqczMDllYY/Ap1Sz0QFeCDUeKm8HfZ/9Jkl6q
         dsYQdEZRvK1kl/o8Irb5H83MWPVTf3z2gB8u4fbBczdkYQPRkOTd7u6kDpTctcjqKjCs
         BzbQ==
X-Gm-Message-State: AGRZ1gLXk4qlfiS4E6rf4BIRrHqoOyJKul5l7Vo2sz55pliVsLS2USHJ
        iw9p1uDLPOk7iY1nxjx9Xtk=
X-Received: by 2002:a62:9c4a:: with SMTP id f71-v6mr3470438pfe.135.1540912967656;
        Tue, 30 Oct 2018 08:22:47 -0700 (PDT)
Received: from localhost.localdomain ([104.238.150.158])
        by smtp.gmail.com with ESMTPSA id v18-v6sm1409922pgh.84.2018.10.30.08.22.43
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 30 Oct 2018 08:22:47 -0700 (PDT)
From:   Muchun Song <smuchun@gmail.com>
To:     linus.walleij@linaro.org, bgolaszewski@baylibre.com
Cc:     linux-gpio@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH RESEND] gpiolib: Fix possible use after free on label
Date:   Tue, 30 Oct 2018 23:22:29 +0800
Message-Id: <20181030152229.90375-1-smuchun@gmail.com>
X-Mailer: git-send-email 2.17.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

gpiod_request_commit() copies the pointer to the label
passed as an argument only to be used later. But there's a
chance the caller could immediately free the passed string
(e.g., local variable). This could trigger a use after free
when we use gpio label(e.g., gpiochip_unlock_as_irq(),
gpiochip_is_requested()).

To be on the safe side: duplicate the string with
kstrdup_const() so that if an unaware user passes an address
to a stack-allocated buffer, we won't get the arbitrary label.

Signed-off-by: Muchun Song <smuchun@gmail.com>
---
 drivers/gpio/gpiolib.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index 25187403e3ac..e600c5f5d9a7 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -2270,6 +2270,12 @@ static int gpiod_request_commit(struct gpio_desc *desc, const char *label)
 	unsigned long		flags;
 	unsigned		offset;
 
+	if (label) {
+		label = kstrdup_const(label, GFP_KERNEL);
+		if (!label)
+			return -ENOMEM;
+	}
+
 	spin_lock_irqsave(&gpio_lock, flags);
 
 	/* NOTE:  gpio_request() can be called in early boot,
@@ -2280,6 +2286,7 @@ static int gpiod_request_commit(struct gpio_desc *desc, const char *label)
 		desc_set_label(desc, label ? : "?");
 		status = 0;
 	} else {
+		kfree_const(label);
 		status = -EBUSY;
 		goto done;
 	}
@@ -2296,6 +2303,7 @@ static int gpiod_request_commit(struct gpio_desc *desc, const char *label)
 
 		if (status < 0) {
 			desc_set_label(desc, NULL);
+			kfree_const(label);
 			clear_bit(FLAG_REQUESTED, &desc->flags);
 			goto done;
 		}
@@ -2391,6 +2399,7 @@ static bool gpiod_free_commit(struct gpio_desc *desc)
 			chip->free(chip, gpio_chip_hwgpio(desc));
 			spin_lock_irqsave(&gpio_lock, flags);
 		}
+		kfree_const(desc->label);
 		desc_set_label(desc, NULL);
 		clear_bit(FLAG_ACTIVE_LOW, &desc->flags);
 		clear_bit(FLAG_REQUESTED, &desc->flags);
-- 
2.17.1