Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp1023803imd; Thu, 1 Nov 2018 09:06:08 -0700 (PDT) X-Google-Smtp-Source: AJdET5dowgj88mNfZ2nSp+RGU86qqlbuZfQXL4jYQ3Ifw9BEelbWfY8G1pY3Oxw9hwc/xE/kb7+j X-Received: by 2002:a62:678a:: with SMTP id t10-v6mr8232053pfj.139.1541088368775; Thu, 01 Nov 2018 09:06:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541088368; cv=none; d=google.com; s=arc-20160816; b=H8HsgTneIu8fhMZVhE+8lvgy5dMUX8HW8b+Y+hu0lI5VlTz1OsYnbR4doSNokjRddh YKC4nPEbXH2+ciMcw2l1AYW7PE/9sFsNMrTyX11CEiTFEWW3+PNeo6xHIyVG6c+kB6ZN n4RXmEw1eZmO08MNTSegX041xktDsTUlt4peSS3fVxLO9QtlL3/LghXeUjagLaNHvlfK DNZBW50raVZKagj8HXdXaKER8xAcHF+Ha5iXIQp+MeLEY13toAxyasHmziQUZ9U7Zite 8qRolkTy4FxDu5OTZMMaRSsWxcsO4yPyqFfTMdse+eXUmAPGvE19xZXGZZphMhH9C6+X sunA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=rYvjaGrtLS9bzB47Io/5BAc419z9dXk9u4C2fR6fr+Q=; b=RQMAiQ9VOD6oLVslz1yzh/fWpi18AK2M9aOVQ7N5XmQnEaY1Wycz0fW9nIN9cv7G2r w43/upWLXdaebnrPTakj2Utf1J6Zu4bl9hYAKhyge27QLSXCkpuWxlV4lLeh1MP0Sz6T ksrd5bTFzngD20EZrKu/he1sVcfzvjHW1c/Jc5d75juFmt2wr7Mnc73SB74ioCE4iM0Z KIQURF09tyA69HBCn7QB1tkooYf1pA8FW7JgSm/YjZGDAKUdCZUMDbzMv2twffbvNlkd Gtx3BhDUazG9I4cdMau6idqll69WPvZzPJ9HYTqgM7+IUM6BR0hux+Dyg2RYjaBDmVqj n9mA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Sl0wsuE5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o68-v6si33827325pfb.203.2018.11.01.09.05.53; Thu, 01 Nov 2018 09:06:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Sl0wsuE5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728652AbeKBAbi (ORCPT + 99 others); Thu, 1 Nov 2018 20:31:38 -0400 Received: from mail-lj1-f193.google.com ([209.85.208.193]:37016 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727950AbeKBAbi (ORCPT ); Thu, 1 Nov 2018 20:31:38 -0400 Received: by mail-lj1-f193.google.com with SMTP id c4-v6so18415635lja.4 for ; Thu, 01 Nov 2018 08:28:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rYvjaGrtLS9bzB47Io/5BAc419z9dXk9u4C2fR6fr+Q=; b=Sl0wsuE5pjaNW9g28yLym/eJ5ZB8+Qip4b0+HZVXAHla77NP5qBwytc9HI6uOvfDcw /4ynvkWcr+EBnpPCCmXFG0On/zXQWzO7k7A17nBUtYR6+cpsfxmWaPjZxxaGGJTlc09L HZBZ35NKitbEpC3LisEMWAKMa/pjG7XWEi7MI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rYvjaGrtLS9bzB47Io/5BAc419z9dXk9u4C2fR6fr+Q=; b=SVRUTKcP2Rv2t3F1nkDCkSkyDcJOshtaqqKlt+MVsa2hWXW/DtBtjGVo97LyVWpfDC sPBISRPAm0uCQ/EexSQ2ykV291mI4u/WGsNSTze3E3r5ZALbEpk3sZdJtCx2y71yv+jZ X3CLWMLEEO7l+pKG2CzGPmTolFFGiUQqC4Ae0+d/m0iug9hxHHgEMGUixsQ4XhqqrUH/ tADdr7XY+uPDyyyaQQusDsrlJtaGvbHhdw//jpAdgrTWn+6Hp/AfDkx3TLSSVgWw4S9B 533QF4YKAJh1mL8ZxOAAFipe+HszzOjNnnyOgOD8QFVqzJDVVeqUzftB9jFQm2+QsUYp +xeg== X-Gm-Message-State: AGRZ1gLe4fQJjdVNJVHVjWT5l3fC9fr2sj8JayplS4O3B7Vr7D4dc/9p liNaYc5rNJiejleOtP0GkFauYeuMP6056gBZob6RNCs7vZUiCA== X-Received: by 2002:a2e:29d7:: with SMTP id p84-v6mr5147847ljp.12.1541086090756; Thu, 01 Nov 2018 08:28:10 -0700 (PDT) MIME-Version: 1.0 References: <20181101131250.41636-1-smuchun@gmail.com> In-Reply-To: <20181101131250.41636-1-smuchun@gmail.com> From: Linus Walleij Date: Thu, 1 Nov 2018 16:27:58 +0100 Message-ID: Subject: Re: [PATCH v2] gpiolib: Fix possible use after free on label To: smuchun@gmail.com, Nicolas Pitre Cc: Bartosz Golaszewski , "open list:GPIO SUBSYSTEM" , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Nov 1, 2018 at 2:13 PM Muchun Song wrote: > gpiod_request_commit() copies the pointer to the label passed as > an argument only to be used later. But there's a chance the caller > could immediately free the passed string(e.g., local variable). > This could trigger a use after free when we use gpio label(e.g., > gpiochip_unlock_as_irq(), gpiochip_is_requested()). > > To be on the safe side: duplicate the string with kstrdup_const() > so that if an unaware user passes an address to a stack-allocated > buffer, we won't get the arbitrary label. > > Also fix gpiod_set_consumer_name(). > > Signed-off-by: Muchun Song I am still a bit worried about the kstrdup_const() that this introduces. The tinyfication people will not like that we now copy every GPIO line name from the device tree into a new reference copy. What we *REALLY* want to do is: const char *str; const char *ref; if (pointer_on_stack(str)) ref = kstrdup_const(str); else ref = str; Isn't this possible to achieve somehow? If not, why not? I suspect maybe there is no simple solution to this, but what about a really complicated and hard solution? I'm looping in Nico for advice. Maybe I will end up applying it anyway but I'm not sure. The patch looks good otherwise. Yours, Linus Walleij