Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp3130457pxb; Tue, 13 Apr 2021 20:15:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwaht5ORWm89em4kpTpyAUC5ojmvqDksEs3r4jwemq0ZrdY3GCoV7XyvgSQPxlbiBUHAN8a X-Received: by 2002:a62:170e:0:b029:1fa:7161:fd71 with SMTP id 14-20020a62170e0000b02901fa7161fd71mr31783213pfx.35.1618370114311; Tue, 13 Apr 2021 20:15:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618370114; cv=none; d=google.com; s=arc-20160816; b=Z6AK1dLxKhyhAqfTV/Z2ye6PjlrwGp5mdb/vNhFXxu438ESzDhV69/DwGV6P29LbWP OvSQbdlKUoPGvyyqV/ENVLFXEZ2OWmZx11PCJHs2q8Jy/yIU2wlgxfpvEIgeAHDrBBVT Py8lDJnRF+DRZbhWxFcxcAplxhhwjrTQp4W3BTO9sX/pkteenM0bAQZ/ScR8/+4AgkHy 2+pF2TH0mIRn7Ztjszf8DErSiYkfSE0ExAKOedsagTD1vKxsKMLiaMPczyrKhatJUQ3n N7EPmd8gwcQpUFiUj8LjPSkRZgx4qI3wRiX4n/82jU1ecdyhiWJD7yEJ2bZswZb/X3b8 Z89w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=WFDrWXEKLxNMOAxHhnP6TPJVdIjMSe8nWkdUzoS8xaQ=; b=Iy44mPtK42OhE9XojhiXzJo92nZTAfHTtAKNSi0SvWm49GHYFebCc6pQH9jr+LyQu/ tq/UlhBqzSgVDgAv8u23x73ShoKpmsN36c5CeF1WlyvBzdNXoHEi+N1wP8P2WtNot9eX ONjVrHvd2xpwVGXSkNsMkAacVrKwlFt6id6SJ2S7v3DCoZ1Bchp15y4vdQVbjr0sdvEv loXoPFYNJiTFISf3/x6F8a/M8/hXppyAYu0gsR0dvNOPx6XMo2zbgKaTrqwVINXvsCjk 2BvgSnW7QjNu/LgaMBxRKV23fvR8RPk5cqryR2W2h24tcGWOOcMBDrN3AUWsh06gEdyG wtLg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i8si9926653pla.124.2021.04.13.20.15.02; Tue, 13 Apr 2021 20:15:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346905AbhDMQwD (ORCPT + 99 others); Tue, 13 Apr 2021 12:52:03 -0400 Received: from mail-pg1-f181.google.com ([209.85.215.181]:37457 "EHLO mail-pg1-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346900AbhDMQv7 (ORCPT ); Tue, 13 Apr 2021 12:51:59 -0400 Received: by mail-pg1-f181.google.com with SMTP id k8so12361187pgf.4 for ; Tue, 13 Apr 2021 09:51:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=WFDrWXEKLxNMOAxHhnP6TPJVdIjMSe8nWkdUzoS8xaQ=; b=imQjXo/bdZYNFo/cxx/yYhAOZFIDjg+RDhuEzdp184w4BlFUyRoiL6a9vXDw8nd0FX Tyto49WWmKKWB3FtHa/xsqtJIgvLgQebTYUOvswjhHzALpyPxFWMmaTcecfAt/qWcBJQ kYsgukth3uIpqwRI9ni8lsFBqaJ8TZLaO/OEipZONpNhhmKrQNJDWz+7OO+eI4RmdJzP 01GukOht2El1Q1aD6FiEhuj9wqBmQjpwyW4t7gV/doKp3Hcye3X+AeLafChpkigFbxqU S30ZBFl5L2pBGRoGIQCI7iEvXS779uPYJK5Cnx3wPv+LLVD6Gm23b7+nQ6zHsHfLjJwR VHVw== X-Gm-Message-State: AOAM530szcOMSmZ+fpdCc3oOvfCPzZqk1NZZINXGZ8Ts/yeP6IKP5gRW VfLDygeM1WGdOKfvwyAtrF8= X-Received: by 2002:a63:d815:: with SMTP id b21mr33173566pgh.217.1618332699569; Tue, 13 Apr 2021 09:51:39 -0700 (PDT) Received: from 42.do-not-panic.com (42.do-not-panic.com. [157.230.128.187]) by smtp.gmail.com with ESMTPSA id bx2sm2974228pjb.32.2021.04.13.09.51.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Apr 2021 09:51:38 -0700 (PDT) Received: by 42.do-not-panic.com (Postfix, from userid 1000) id 0EF6440402; Tue, 13 Apr 2021 16:51:38 +0000 (UTC) Date: Tue, 13 Apr 2021 16:51:38 +0000 From: Luis Chamberlain To: Anirudh Rayabharam Cc: Greg Kroah-Hartman , "Rafael J. Wysocki" , Junyong Sun , syzbot+de271708674e2093097b@syzkaller.appspotmail.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] firmware_loader: fix use-after-free in firmware_fallback_sysfs Message-ID: <20210413165138.GI4332@42.do-not-panic.com> References: <20210413104242.31564-1-mail@anirudhrb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210413104242.31564-1-mail@anirudhrb.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 13, 2021 at 04:12:42PM +0530, Anirudh Rayabharam wrote: > The use-after-free happens when a fw_priv object has been freed but > hasn't been removed from the pending list (pending_fw_head). The next > time fw_load_sysfs_fallback tries to insert into the list, it ends up > accessing the pending_list member of the previoiusly freed fw_priv. > > In commit bcfbd3523f3c ("firmware: fix a double abort case with > fw_load_sysfs_fallback"), fw_load_abort() is skipped if > fw_sysfs_wait_timeout() returns -ENOENT. This causes the fw_priv to > not be removed from the pending list. > > To fix this, delete the fw_priv from the pending list when retval > is -ENOENT instead of skipping the entire block. > > Fixes: bcfbd3523f3c ("firmware: fix a double abort case with fw_load_sysfs_fallback") > Reported-by: syzbot+de271708674e2093097b@syzkaller.appspotmail.com > Tested-by: syzbot+de271708674e2093097b@syzkaller.appspotmail.com > Signed-off-by: Anirudh Rayabharam Thanks for your patch Anirudh, but please also see this reply to the issue: http://lkml.kernel.org/r/20210403013143.GV4332@42.do-not-panic.com The way you patched the issue is just a band-aid, meaning we keep on moving the issue further and it seems that's just the wrong approach. Can you try the patch in that thread, to verify if the UAF goes away?