Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp2310746imd; Fri, 2 Nov 2018 09:13:40 -0700 (PDT) X-Google-Smtp-Source: AJdET5cf/OyOJIcpIaemZiIkFlAftgHPE5nJietA9ogMEIE5xKGMUTdRsY9YJCqOtFYVSdnZupfj X-Received: by 2002:a65:6249:: with SMTP id q9-v6mr11520122pgv.392.1541175220492; Fri, 02 Nov 2018 09:13:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541175220; cv=none; d=google.com; s=arc-20160816; b=bUw0QRhv7z5Tp33PTvBGppzBxx1jj7LzD9P9wmUJTpwWomW+TJKYuTbQ6IsVUDnDis AG0q51MW8BYMBBlY8q370LJCd7t5NDGMYAe807TKvBEWxrw/jTqsSYWhoM1TnzVJFjQA wYyZqWjNgAz2cQk2hSv4eppGXcFFSm2sWKzWjLIs/lkeCyzMqwO0daMeBBAhQ2vb4J4b zCPil4VzrOSafigu/W+uNCQrK1l6PbMUgCaNSPInTxbXk77Spg8CFkvH95PlT+HB597e NawcseZBZ+RaOgUYAZ86EhoqJ4bOjAElHdhuLRzNakrIiMHYjXVKgux3S2PtrfKgakGR JP6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date:dkim-signature; bh=6Ha1cZMVPr8gFvoudGJ9sSffjKNhL5fmF725rK3/bzI=; b=A/opzlgIFweQiDLiza6lTiCVWFXD2vPmpPNZGQvEqk990MAtt5mdhNIaG3bamfPP/T j7iQP0zm5YyyKpVyPUSLDjApe8hSYgDMSnRPPYxK9m9NyYKoeiyI5PUQRjKb2JsFxPG4 yhogwpTGdVfferR1NPgsK3eTAOgexDIB4th/xRTGy8ZdtQB0FJM41TwzvfNNGMwnB2bN KdVrrv2W2Lpd9pvqDGUe77ahKCIDGOGpnCjo5tnx0xO6SHB8lCOtEEekpa65PlY212g3 nlxsOrC/LWYVKwu21mmPHIthdJRixg0ht/InqikIzj19q2Vo1hua00lJFLXyqH5XuteK WJmQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=CWB8SZs6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a17-v6si28939418pgf.443.2018.11.02.09.13.24; Fri, 02 Nov 2018 09:13:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=CWB8SZs6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727561AbeKCBUD (ORCPT + 99 others); Fri, 2 Nov 2018 21:20:03 -0400 Received: from mail-qk1-f194.google.com ([209.85.222.194]:35896 "EHLO mail-qk1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726098AbeKCBUD (ORCPT ); Fri, 2 Nov 2018 21:20:03 -0400 Received: by mail-qk1-f194.google.com with SMTP id o125so3894435qkf.3 for ; Fri, 02 Nov 2018 09:12:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:mime-version; bh=6Ha1cZMVPr8gFvoudGJ9sSffjKNhL5fmF725rK3/bzI=; b=CWB8SZs6tYb9O+UKDTofR2of9I0HHdE6unY77t5i484RGkx2zVZj2hRKzHQfhuQz6c 38MceArkZyizJZC1MQDYkpYwPQHeCQBeXjny7caLCP64XirSWYi+UeIKaXAXPVLBpj6U tlFhLuR3JtSQE/oAuED6kFnlHAMgORDwDyXyU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:user-agent:mime-version; bh=6Ha1cZMVPr8gFvoudGJ9sSffjKNhL5fmF725rK3/bzI=; b=m2XJWZUFrfGZBPj4/55zNH/j7DD7TM2oZCY40mExVj6ourjr5ligwSCsvEXcUxnOUz A4Kf9oShQrovZDiG7/xULn43+WZ15hxi/XDPDLIQlaib12miub2EpVgX440ZBKdZw711 e2f7M4K/1iG0/HCSmp/5LO9AzZEpvh5vzDiXBo9vANVGE2yO/JGdeejZxIHOQCkW3OXR csZc/TEP7mR2IvNmIpYtNYPoZmE3eozD8lIkC/q5eZ6cJx3a8uqsA0JwWjsYH1w5l4eF 03qUQ1G3hcnXVNaloeFBqu9KoG4aThIxVPPzty/+JTXcqEknhFy8zk67I1NS4n2VFpt6 XPJg== X-Gm-Message-State: AGRZ1gJius0XEUfvqzufHDZq/2A5YwPO0E8AWoUQ1NMxI1C7anaIdB91 mQZ7q4oLIQ2FpGuc+JrNTxRqFg== X-Received: by 2002:a37:54a:: with SMTP id 71mr10959064qkf.253.1541175145935; Fri, 02 Nov 2018 09:12:25 -0700 (PDT) Received: from xanadu.home (modemcable228.104-82-70.mc.videotron.ca. [70.82.104.228]) by smtp.gmail.com with ESMTPSA id 83sm34077485qkz.73.2018.11.02.09.12.24 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 02 Nov 2018 09:12:25 -0700 (PDT) Date: Fri, 2 Nov 2018 12:12:24 -0400 (EDT) From: Nicolas Pitre To: Linus Walleij cc: smuchun@gmail.com, Bartosz Golaszewski , "open list:GPIO SUBSYSTEM" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH v2] gpiolib: Fix possible use after free on label In-Reply-To: Message-ID: References: <20181101131250.41636-1-smuchun@gmail.com> User-Agent: Alpine 2.21 (LFD 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2 Nov 2018, Linus Walleij wrote: > On Thu, Nov 1, 2018 at 4:27 PM Linus Walleij wrote: > > On Thu, Nov 1, 2018 at 2:13 PM Muchun Song wrote: > > > > > gpiod_request_commit() copies the pointer to the label passed as > > > an argument only to be used later. But there's a chance the caller > > > could immediately free the passed string(e.g., local variable). > > > This could trigger a use after free when we use gpio label(e.g., > > > gpiochip_unlock_as_irq(), gpiochip_is_requested()). > > > > > > To be on the safe side: duplicate the string with kstrdup_const() > > > so that if an unaware user passes an address to a stack-allocated > > > buffer, we won't get the arbitrary label. > > > > > > Also fix gpiod_set_consumer_name(). > > > > > > Signed-off-by: Muchun Song > > > > I am still a bit worried about the kstrdup_const() that this > > introduces. > > Forget it. I realized after actually reading the code > for kstrdup_const() that it really does exactly > what we want. > > I should stop assuming things are syntactic sugar > in the kernel, we have some really smart people > working with it... I didn't know about kstrdup_const() either before just now. If the device tree lands in the kernel rodata area then all is fine. I don't know enough about the actual DT processing to be sure though. Nicolas