Received: by 2002:ac0:8c9a:0:0:0:0:0 with SMTP id r26csp5135940ima;
        Tue, 5 Feb 2019 06:58:30 -0800 (PST)
X-Google-Smtp-Source: AHgI3IbdEcGzQ5eBr9SiyVmSUTIlfcGDxVLcr//v4W0yD32H9udGa3/9DQC0sEpsxynVYExN3pVu
X-Received: by 2002:a62:8add:: with SMTP id o90mr5371390pfk.210.1549378709946;
        Tue, 05 Feb 2019 06:58:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1549378709; cv=none;
        d=google.com; s=arc-20160816;
        b=Fw4JNILrppC6Oih/ChBklT3zUk4twwBH6vm0Xn4nL9ZiKK4VtV4IQnUvdBbixXJQKu
         tUmEP/wmufo2AjTI6K9C4KGgo6rVLnx5Ca8kpf6wEetD1lCCT+E8cpPV2HxH3l1K6Q02
         fXwa9VYD72CafYPwY+nZ8BypZ9jmRE0mNz7vY965mvZ4/MVfekj3r3X7b1eP+D77JB2t
         zLJDZFSFn8+hjNGdtJ90UP+FLMQ9i7fsIvHwUKBALfBH5PbwLF7Gq1frxNGelVAT69iB
         4qDtBGwQJbDr2IPWTqtgzxmAWU3fOvdgeWa0jyVfqJV10gNZPag2Q97hyoJ37zEWGT0i
         SLCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=8BjJu2Sz0WY0eSAV8ViA9jF1Xbm3uRhBsyGWH8UCJnk=;
        b=OPpPi+t64fDJyXDYqYHBqGDj11Ft80yxp9I7dqqoJxRgMxrHprTOYCMebz32cNvApD
         V5fHjdFMancDv8mEXXqb2FduqDqRvUiBJK6mPP2edP44drKRgVzQfcZPi/jaHSYlrRUN
         TCg5GNNDBLF4TOTRbU704wppRfEv6bM8q+JrSOCIskm43kNTfTx3g43TM6N5KHr4QvR2
         3hAPNvxPndIESRRQtaQN3Vp+eSu/9rCl1GvOdGErkJfn3+WBnthZEt1k8BoHEjMjYIwK
         H5KEKMtkux/bidOGgTvTaXJJv8ScKZV/t+gxEqZ6SuEPNM1PqKtrXXWBealMU1yNoIRQ
         XjzQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=dlO3BUdk;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m11si3407589plt.26.2019.02.05.06.58.14;
        Tue, 05 Feb 2019 06:58:29 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=dlO3BUdk;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729297AbfBEO51 (ORCPT <rfc822;lans.zhang2008@gmail.com>
        + 99 others); Tue, 5 Feb 2019 09:57:27 -0500
Received: from mail-vk1-f196.google.com ([209.85.221.196]:39166 "EHLO
        mail-vk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726098AbfBEO51 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Feb 2019 09:57:27 -0500
Received: by mail-vk1-f196.google.com with SMTP id f206so232316vke.6
        for <linux-kernel@vger.kernel.org>; Tue, 05 Feb 2019 06:57:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=8BjJu2Sz0WY0eSAV8ViA9jF1Xbm3uRhBsyGWH8UCJnk=;
        b=dlO3BUdkTZl1QOfKWj8GlYA0v8rG19oMTZHlYf6jc2eUTh2kD8nD8IZsN28CX3Sj9w
         rptHxvpS2deED1cEFipUPY3eyQAeA1RBcFNdiLRJmtXzcyPhjqY3TpisB3+ghelJBAtS
         YZJSoR1WdTWC9jxcNxZRjCj55oKP+DtGDh9HM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=8BjJu2Sz0WY0eSAV8ViA9jF1Xbm3uRhBsyGWH8UCJnk=;
        b=V8rthczxTgRJlgQE9kppEdiGmuztZryIi2nz+c73vBdX2Jg27Zlf738kAbIWRhAsHt
         lhOUVE6I1WMsr8FeN34FGA2JXBfnvcKXa40qgVFr2VGOCRzJjZNXAIJwlDzqG6F4i11K
         iy2FUvrcC5xeke1BzlfSL9wC+KSqbQ1Y5tSrXPbJ7qx6GCwLaLVBZyWEo8i1J+ocuizW
         JTVfFj/vB2bPLpwnjH4x8kuiNTNtpH+21z/sRRdIY/8Bn76mpV5EebSJapUA9ugcx9LS
         LX63fva/oyetv69Ttqdb3ocAceXNILA9aJe7rGsuBMRKBW3Imet1kfOhdy0M0zLb7nze
         Dhbw==
X-Gm-Message-State: AHQUAub9tjaz5K8saD7sFZfJBps+w1DHWzGYDR8K26GLWT/94psCFQ5M
        K4cpebrPe+Adbx6fR3DxjBYEoHb0+Ng=
X-Received: by 2002:a1f:a28a:: with SMTP id l132mr2108474vke.37.1549378645565;
        Tue, 05 Feb 2019 06:57:25 -0800 (PST)
Received: from mail-ua1-f50.google.com (mail-ua1-f50.google.com. [209.85.222.50])
        by smtp.gmail.com with ESMTPSA id x132sm554052vsc.34.2019.02.05.06.57.24
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 05 Feb 2019 06:57:24 -0800 (PST)
Received: by mail-ua1-f50.google.com with SMTP id d19so1183449uaq.11
        for <linux-kernel@vger.kernel.org>; Tue, 05 Feb 2019 06:57:24 -0800 (PST)
X-Received: by 2002:a9f:2709:: with SMTP id a9mr2052020uaa.10.1549378643954;
 Tue, 05 Feb 2019 06:57:23 -0800 (PST)
MIME-Version: 1.0
References: <20190204220952.30761-1-TheSven73@googlemail.com>
In-Reply-To: <20190204220952.30761-1-TheSven73@googlemail.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Tue, 5 Feb 2019 14:57:11 +0000
X-Gmail-Original-Message-ID: <CAGXu5jJ0g1FUd3mX=RkJCN=BazaWWybAuapvjngpLcWtz3FQGw@mail.gmail.com>
Message-ID: <CAGXu5jJ0g1FUd3mX=RkJCN=BazaWWybAuapvjngpLcWtz3FQGw@mail.gmail.com>
Subject: Re: [RFC v1 0/3] Address potential user-after-free on module unload
To:     Sven Van Asbroeck <thesven73@gmail.com>
Cc:     Tejun Heo <tj@kernel.org>, Lai Jiangshan <jiangshanlai@gmail.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Sebastian Reichel <sre@kernel.org>,
        Dmitry Torokhov <dmitry.torokhov@gmail.com>,
        Greg KH <gregkh@linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Feb 4, 2019 at 10:09 PM Sven Van Asbroeck <thesven73@gmail.com> wrote:
>
> I think there _might_ be potential use-after-free issues on module unload.
>
> They are hard to trigger, but I think I've seen them bring the whole
> kernel down when they do occur. Can be triggered by doing an insmod of
> a vulnerable module, rapidly followed by an rmmod.
>
> Caused by drivers which schedule work / delayed_work, but do not clean it up
> properly on module unload. Which means the work function could run _after_
> the module has unloaded.
>
> A quick grep through the kernel sources brings up many instances.
> I leave it to people more knowledgeable than me to determine if this problem
> is likely to happen, and/or if it can be exploited to become a security risk.
>
> Perhaps developers can be 'nudged' into doing the right thing by using
> resource-managed versions of INIT_WORK() / INIT_DELAYED_WORK(), which may
> address the issue quite elegantly.

Can a Coccinelle script get written to find module-use of the non-devm
work init?

It seems like finding these in __init functions should be relatively
easy? (Or can we add runtime detection in the existing INIT_*WORK()
code to see if it is running from the wrong place?)

-Kees

>
> Attached is a proposal patch, followed by sample fixes for two vulnerable
> modules. As far as I can tell, many more modules are vulnerable.
>
> Sven Van Asbroeck (3):
>   workqueue: Add resource-managed version of INIT_[DELAYED_]WORK()
>   max17042_battery: fix potential user-after-free on module unload
>   cap11xx: fix potential user-after-free on module unload
>
>  drivers/input/keyboard/cap11xx.c        |  6 ++-
>  drivers/power/supply/max17042_battery.c |  5 ++-
>  include/linux/workqueue.h               |  7 ++++
>  kernel/workqueue.c                      | 54 +++++++++++++++++++++++++
>  4 files changed, 70 insertions(+), 2 deletions(-)
>
> --
> 2.17.1
>


-- 
Kees Cook