Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2779883pxk;
        Sun, 6 Sep 2020 13:16:19 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxs4QUgR2AjoyD7ruw5nP4yRQXSNHND7+KsmI0zeUIIh/BvbggYnETfsk+hYGomgpTsSdy/
X-Received: by 2002:a50:a0c7:: with SMTP id 65mr18303862edo.375.1599423379171;
        Sun, 06 Sep 2020 13:16:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1599423379; cv=none;
        d=google.com; s=arc-20160816;
        b=ZyQ6fMFr40hkU7RFmWAp1q9C8MOa+0GFbVavxfoQpVkhuWGevd4COKuKi78xt8irjv
         28Fokuj+NQ/eJ1zbL+EEXJhS+FUsRLEdfjpXHq6PyMtvTOa1B7pc2BuR0Fgig5rnYmQL
         l2OBmHlmSuBZulEs4KM6z9frYRdt6VUH46gy0UG9KmL7hdZWjTyK5DuXfChD2u1f5SOs
         54fJGJSZQ1RfkFFGqErvaDD9tQxDqYa0IgyTob8Pb0F7863L8E2Z1Dh2MdqHTyoihFvC
         hIGIEhDm3g6uYW6l1GSdnXnFWqVhfVSglYmR5bSd6zuLUUICf12qwfKTEStstXkWhoJx
         svcw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:from:dkim-signature;
        bh=fMygZrwawBCdGQ2bBFDMvJ3Y2e+cfl4sBDGo7UGztys=;
        b=KouB2eFbLltk+1CFwSwH0A8SG/2C4fzow+LqA6EW/QD0wGn8Qh3nvK1XWn18AaLtI1
         PVUEioMGTuabCr1r7vq5v3Mz9N0dnDo5SB/Ki+fYZlDQQhwj9Hs3s3kjm7nYdJBbdXuC
         NdmGatBHsGDTHzks0s4caTNsL+bFdbMkSTYG6hm+xv4eZ8e1pLu/MXEMhd4rAESJA+VI
         bpqZ+IMCMmSGiXvF9Z2nGbCzgPfGWAdvWNVL7AipZ7rcoPauMmBRn0X8m+nHWTmelaCw
         LgzQscny2VQBso4PTcMRznLuUqr9+WKVxmKjwOs9l2v9nmZWrZdNRV9Dra1llewVA1EU
         aFNQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=L4BXwmWD;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y10si8979138edi.9.2020.09.06.13.15.56;
        Sun, 06 Sep 2020 13:16:19 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=L4BXwmWD;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726482AbgIFUMS (ORCPT <rfc822;chauncqc@gmail.com> + 99 others);
        Sun, 6 Sep 2020 16:12:18 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44498 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726154AbgIFUMO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 6 Sep 2020 16:12:14 -0400
Received: from mail-pg1-x544.google.com (mail-pg1-x544.google.com [IPv6:2607:f8b0:4864:20::544])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9DE29C061573
        for <linux-kernel@vger.kernel.org>; Sun,  6 Sep 2020 13:12:12 -0700 (PDT)
Received: by mail-pg1-x544.google.com with SMTP id e33so7046262pgm.0
        for <linux-kernel@vger.kernel.org>; Sun, 06 Sep 2020 13:12:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=fMygZrwawBCdGQ2bBFDMvJ3Y2e+cfl4sBDGo7UGztys=;
        b=L4BXwmWDvemqRJGMuLN9aM59ZoBRJbDiKherzXRYsVuFip8Ct5P0Xo8HzEgxOnEJLk
         fEyfQiKDUZOHF7XLgfXFHdnmZV23yYOSKwrO+2/N5ssNQqqzPcbIFZSzGkLgJkbe3i62
         jVEIcuIDzeDD26X5lY8scOfzlkXBvamq5dkXqjiDZFCv3RgLpISw25ly12G/Cwk6S48R
         MFu21cff5CVj4VjLwvZnL7yQqKjP2MNNMaf4lZ5rn4QRtDxvA3usHQiJiCMZMPGo5szU
         zEn3dnxBuKOgnQ72NzwoQBdCEQMXWuzfwh0XH5wGr5Hf4M0fWz1Xf8slBxWjg0Dedy/p
         lBQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=fMygZrwawBCdGQ2bBFDMvJ3Y2e+cfl4sBDGo7UGztys=;
        b=rGZsi8NU3F8wT76Cos45ZdCxaeN9pFc4vRrg/WDucMFK7XYvMZx5qi3wM9sfFq3ZhS
         I5yNbqto5Eq3/ycMZo0Tmhf1sspRho8j3KlcKr3vtJAHKFw2Yk2RuQd6IRORZNtufxXn
         otSVwQ956IURPEjKL1wZR0L2FthMK0ZgnIMi6Z8LxsJFD/+ab55v/3M07gfqO+9bTNFp
         PabKa8nPmCow0JNiNJC6ItQBPGHySwgiJOe2jMWnpxTBaDsgmt76h4fCMQVGDMlpOcep
         0i+rEZUFRjKykh+UrqjakQPiatUGDxr+U/pnAGPUyEmwow/a4VpURQn2efUxu0LL7504
         Ksig==
X-Gm-Message-State: AOAM531EjSRGg5gM9SAeSREEI78UI+xAJletcJ5qJ/xw6E29ub+7duxr
        SJqHO9qw7pyjW0HFzV4VMLQ=
X-Received: by 2002:a62:5e04:: with SMTP id s4mr17619755pfb.67.1599423126651;
        Sun, 06 Sep 2020 13:12:06 -0700 (PDT)
Received: from localhost.localdomain ([49.207.209.246])
        by smtp.gmail.com with ESMTPSA id v12sm10705735pgk.81.2020.09.06.13.12.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 06 Sep 2020 13:12:05 -0700 (PDT)
From:   Anant Thazhemadam <anant.thazhemadam@gmail.com>
Cc:     linux-kernel-mentees@lists.linuxfoundation.org,
        Anant Thazhemadam <anant.thazhemadam@gmail.com>,
        syzbot+b8639c8dcb5ec4483d4f@syzkaller.appspotmail.com,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Saravana Kannan <saravanak@google.com>,
        "Rafael J. Wysocki" <rafael@kernel.org>,
        Jean-Philippe Brucker <jean-philippe@linaro.org>,
        Dan Williams <dan.j.williams@intel.com>,
        Joerg Roedel <jroedel@suse.de>,
        Bartosz Golaszewski <bgolaszewski@baylibre.com>,
        linux-kernel@vger.kernel.org
Subject: [Linux-kernel-mentees] [PATCH] block : Fix use-after-free Read in delete_partition
Date:   Mon,  7 Sep 2020 01:41:56 +0530
Message-Id: <20200906201158.14014-1-anant.thazhemadam@gmail.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
To:     unlisted-recipients:; (no To-header on input)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

A use-after-free read of the kobject member being casted out to the
device structure containing it seems to be potentially possible
due to unsafe casting using container_of (since an edge case such
as when the ptr being casted might be NULL or problematic is not
accounted for).
Using container_of_safe resolves this issue, with no obvious tradeoffs
and without considerable expense.

Reported-by: syzbot+b8639c8dcb5ec4483d4f@syzkaller.appspotmail.com
Tested-by: syzbot+b8639c8dcb5ec4483d4f@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
---
 include/linux/device.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/device.h b/include/linux/device.h
index ca18da4768e3..aeb70b7a37e6 100644
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -643,7 +643,7 @@ struct device_link {
 
 static inline struct device *kobj_to_dev(struct kobject *kobj)
 {
-	return container_of(kobj, struct device, kobj);
+	return container_of_safe(kobj, struct device, kobj);
 }
 
 /**
-- 
2.25.1