Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp5875640imd; Wed, 31 Oct 2018 03:33:02 -0700 (PDT) X-Google-Smtp-Source: AJdET5c2tu2578tEU8kwzllDLcw76W5PqcxWp755i05omxZhqjKyoCuZjFrpvNQTAEkhGoUatwW/ X-Received: by 2002:a63:3287:: with SMTP id y129mr2590549pgy.337.1540981982882; Wed, 31 Oct 2018 03:33:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540981982; cv=none; d=google.com; s=arc-20160816; b=BHycEPQX/TOW0LzGC1KaDstOVf7ERFGw4dwbAQO7XoH7+fYrxVfpENAvesu7jWb2no T0CojOr6YG5IQQoUAD26hVuBvBfG1M2PtRpyDa3qnZ65lYTZu+EDvyIdqOxxPxUmSVAX ulDAnHGqP7YdpkrZno2LZRpwmBwp5rJbwAv/s0u3mX3ZmJwrkUX7hodIEPKn34lEoGrt 7qnvpCqrTnlwW4v/lI9mIY8QYlCTv2G6/+ujTyX54hBZ8bhCbRlR33jCoh98/7yuQZ1l L/P5YVBXEq9InzqIZgbVjzULcESnCTqTo3IXiEnzeYtlMwD5jN3wQImrBaB9pbK4hNy2 TwyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=brhXqZWk2CFBz+8dpPTkehoOD//C3pV+L6Z3GMryY+w=; b=n/8JviFdm3f3hs49cu3Lsnp2LnS19yyFqqJGOOSS10GNy5ioOBeTT4kZmV5xp+ajNj ojSRfgxQD2dWWPfpVIMujWJfr737SUE0i8oIPhTCYMc/S04SJJZ53ADDhxSZ7q5A1/0T 3WrH2fOF3ErKLI+q3FvepfI5dpqq43yluXETQfJ6YnU/HbkKYRYociMoUTKZkN5u0XzI DkAvzsRPXE8JkRE+DzBQUpTVz2yWTtDhv4OsMYN5pgOLyrAsdk8rNa6JFo0hs+Agwykc LdtUQUBrGUehBNcRGjxRscIK5WNEMQxlMGKIJHiqPl3avVSQxI5Hs22z3/SJ0HrPw2Dy vdzQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=JV7y+nV3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p25-v6si28475852pli.239.2018.10.31.03.32.47; Wed, 31 Oct 2018 03:33:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=JV7y+nV3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728423AbeJaT35 (ORCPT + 99 others); Wed, 31 Oct 2018 15:29:57 -0400 Received: from mail-lf1-f65.google.com ([209.85.167.65]:42066 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728119AbeJaT35 (ORCPT ); Wed, 31 Oct 2018 15:29:57 -0400 Received: by mail-lf1-f65.google.com with SMTP id q6-v6so11208112lfh.9 for ; Wed, 31 Oct 2018 03:32:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=brhXqZWk2CFBz+8dpPTkehoOD//C3pV+L6Z3GMryY+w=; b=JV7y+nV3jy9t68+Ya1AecdZWKegp+v9D7+KnK+MGkVyQtcBEpgb03tT0gx+KAWRyhy b03bTap8jR14x5G3m5nDlB8cqBTtogJa2TWvzqHcGxo3lfpwyZDCyEw2BpG+JWX0wVvd UR/RmNv6X73fshNLwLqP5IwTqqTSkTS42pnOY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=brhXqZWk2CFBz+8dpPTkehoOD//C3pV+L6Z3GMryY+w=; b=udhH04HtLe2Tu8K/CcORt1QygV05tZf45fIpIURIxxZ6aJJtXg2CID0urthB8tvINA dD9ULCE91VGb3fDx/5lTbCgPAQXGJ7WgePr1q33vgS6jFMErz19cjoCDm/FKNMgaqwW4 KByJc//cqRoRP6YoCgWlXdn+bqwySM8sQaN8CX5h7RaKXmNf6wH3IeWRP8UpsmdOR7g+ pMBGCDVQNKnsKeR/4KyZwD9mU1LyGQ5WLvJZjeS3y9jr3tqvVjnx++MqeQ7rSapBNs1q osJ4F8qX2OXcFOR3AnxD8KRFFDHVrhMol30U/+e0b8W6m+CLVSMHdh2a/LfowO/+Hdcb OFxA== X-Gm-Message-State: AGRZ1gJkJilOL7EWIFaOE3ncRT8B7l4iRrP6WzFI8BaQKEXyINA/gclC XJ0/rESHzH+23b5yOMQWJauu/w2IaxhKYX03bUAkLQ== X-Received: by 2002:a19:4849:: with SMTP id v70mr1463697lfa.62.1540981943687; Wed, 31 Oct 2018 03:32:23 -0700 (PDT) MIME-Version: 1.0 References: <20181024134040.115413-1-smuchun@gmail.com> In-Reply-To: <20181024134040.115413-1-smuchun@gmail.com> From: Linus Walleij Date: Wed, 31 Oct 2018 11:32:11 +0100 Message-ID: Subject: Re: [PATCH] gpiolib: fix possible use after free on label To: smuchun@gmail.com Cc: "open list:GPIO SUBSYSTEM" , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Muchun, thanks for your patch! On Wed, Oct 24, 2018 at 3:41 PM Muchun Song wrote: > gpiod_request_commit() copies the pointer to the label > passed as an argument only to be used later. But there's a > chance the caller could immediately free the passed string > (e.g., local variable). This could trigger a use after free > when we use gpio label(e.g., gpiochip_unlock_as_irq(), > gpiochip_is_requested()). > > To be on the safe side: duplicate the string with > kstrdup_const() so that if an unaware user passes an address > to a stack-allocated buffer, we won't get the arbitrary label. > > Signed-off-by: Muchun Song I am a bit worried about the memory consumption for this, but I guess typically this should not be much. I am a little bit lost in const-correctness here, and I do understand that the label could point to something allocated on the stack, but it seems like an awkward way of shooting oneself in the foot really. Allocate something and then pass it as a const char *? That is something we could pretty much detect with a cocinelle script I think? Anyways: if you want to proceed with this approach, also make sure to fix gpiod_set_consumer_name() to free previous label and make a new strdup when called. Yours, Linus Walleij