Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp1894610imd; Fri, 2 Nov 2018 02:26:22 -0700 (PDT) X-Google-Smtp-Source: AJdET5eYE0QQ32RyrwFGzs/jiluy4dnBXfB24dU5aIOiinbbhU1g86/6VFdlJPkIknKe5O9BIyan X-Received: by 2002:a17:902:3341:: with SMTP id a59-v6mr11017567plc.138.1541150782589; Fri, 02 Nov 2018 02:26:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541150782; cv=none; d=google.com; s=arc-20160816; b=kE6JqIuIwNEc4Tr7ToP2iYH1D6c2I/twQcM9DGaI5yVv0i0ccak5cAUKJf1GeMYfE+ mimID71EIyvWntQXXjaQOn0sCCM3exQgsxHWOX0pFPpYafFlcDD43Fswsk3sRZO0kmfK vk7QF3onMg9qK8vZsYax7Tz2ySFAvX7peEnIdBdCGIAuKOdFoo8kWfbuN4IgnWy2wPzV Ubv4UGPcxhnCsOSyLuYVoFFUtrbiJgdtPu4xMJDkcGWcBFpBEuHNRvQLZSMVhwatGajT 02Ixz81SwUof6ZysUjT09BmFPEMDZyhI2Ei2evdkSyv/DzqqJfHXfBRNCGUcyLEIbUyA mQkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=xWXVLUlksolGge10ty0kIKsFAE+aHiOuK0mIv+77Vn8=; b=oJ3gZxB0ikcDA9lIcSndJLnjjJIM7BIhub8Yo3b+DCFq5GKFdWq88DICeqbNNC3QJ7 73Cx13+l3ga8fmkgIZnPtcdnrOij33iV2dwlg7Yc2GATyAkEx4zs9PQO54+NbgPjxy12 PHwRbcZn7rgxIKab++OOYyy90WzA6C6vsWDSGA9+aonP7EK9UBA0WjN5U+pbki/bH9mU EfvZ/tMozXd9Xhwd6+umrb49KUoJeihFlFbb+jJmLnsT4rTGx1nD2/HhxPLyEIjvFzDl W6rptUUG3ixrOZBr/3DRuSKK+27T/ipi5YGMbO+VCvEObX3L/a8QGsMA/r1Nq9DHwaXR 0CIQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=EwvBC3sj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j22-v6si15543630pgl.217.2018.11.02.02.26.07; Fri, 02 Nov 2018 02:26:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=EwvBC3sj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726174AbeKBSbk (ORCPT + 99 others); Fri, 2 Nov 2018 14:31:40 -0400 Received: from mail-lf1-f66.google.com ([209.85.167.66]:42854 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725935AbeKBSbj (ORCPT ); Fri, 2 Nov 2018 14:31:39 -0400 Received: by mail-lf1-f66.google.com with SMTP id q6-v6so855390lfh.9 for ; Fri, 02 Nov 2018 02:25:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xWXVLUlksolGge10ty0kIKsFAE+aHiOuK0mIv+77Vn8=; b=EwvBC3sjf/xOjjBqxGMZQVU1yfoIkod6OLAgM5IXviDN6DUogrIiEU5AWBmtqA1w7Z KaOnvdb2WPuJk7dqU0WYoUCJ/rMBFnyPyZtbKLU7cdsI7wKtXtfI94hrWU+f5brZhKlP Al4ghh3ZYLFWEL9811UdYKqbEiCIm6y4q6Kt4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xWXVLUlksolGge10ty0kIKsFAE+aHiOuK0mIv+77Vn8=; b=btqLyDZRlM/aIkWrlMuAd9JvoWIVhSXq2u6HNRGKVWf0bXmnr1rgkrbiAxezneDm/Z 5JQoepBYlzamP2rF7J+4pmPbktaVBTTxRb8j4sIdPOvLotw5pDFteJ6MUlol5PZEoI2u EXGernitj7sVWONi6iWxNbQiggc1Fd6MXonH+Gbaeq0HIGvWVcO/PUWo5MEuUbYJDbMx nCqNRpC446AVBmAYELb6Gi1+di1nw2vAYK0034BpEK8bkrsfdctCSj9Az05msxXdmD6i QD38DTylkuzW/gLa6qypy762VrIT8arRTBLjeZgLjpKMl82OWNokN2oZLxpjtJuwh924 sRxQ== X-Gm-Message-State: AGRZ1gIZFyzanucftASzwG2aaAo6SZ2I2Wpa2LjrugdyYUHfTU+xpq8Q eTIlwitZUQ+1YnHWTgqHf5pJg8MT8DjSKJHKyOgBrQ== X-Received: by 2002:a19:f813:: with SMTP id a19mr6213855lff.67.1541150706776; Fri, 02 Nov 2018 02:25:06 -0700 (PDT) MIME-Version: 1.0 References: <20181101131250.41636-1-smuchun@gmail.com> In-Reply-To: From: Linus Walleij Date: Fri, 2 Nov 2018 10:24:53 +0100 Message-ID: Subject: Re: [PATCH v2] gpiolib: Fix possible use after free on label To: smuchun@gmail.com, Nicolas Pitre Cc: Bartosz Golaszewski , "open list:GPIO SUBSYSTEM" , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Nov 1, 2018 at 4:27 PM Linus Walleij wrote: > On Thu, Nov 1, 2018 at 2:13 PM Muchun Song wrote: > > > gpiod_request_commit() copies the pointer to the label passed as > > an argument only to be used later. But there's a chance the caller > > could immediately free the passed string(e.g., local variable). > > This could trigger a use after free when we use gpio label(e.g., > > gpiochip_unlock_as_irq(), gpiochip_is_requested()). > > > > To be on the safe side: duplicate the string with kstrdup_const() > > so that if an unaware user passes an address to a stack-allocated > > buffer, we won't get the arbitrary label. > > > > Also fix gpiod_set_consumer_name(). > > > > Signed-off-by: Muchun Song > > I am still a bit worried about the kstrdup_const() that this > introduces. Forget it. I realized after actually reading the code for kstrdup_const() that it really does exactly what we want. I should stop assuming things are syntactic sugar in the kernel, we have some really smart people working with it... Patch applied. Yours, Linus Walleij