Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp863377pxb; Mon, 16 Aug 2021 20:42:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwj2wgQdI1WUP7RAPigWnCkKR9pXDDqWZCGrajuJeWIBt/zv+jzmk+hTPOtLzIHRXXQyhDD X-Received: by 2002:a17:906:aecc:: with SMTP id me12mr1543916ejb.97.1629171764655; Mon, 16 Aug 2021 20:42:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629171764; cv=none; d=google.com; s=arc-20160816; b=KvZz8/ag5WdASV8wfe7m/rBtOci7UvMQ66MNLkJThCDCf06FI6RaqiarGmyW/5oWUw AAUJ+qJnUrXOztSoVPbOj75zTAFXdQy9e0+SpPV4EvAWUfPYoqvdyFhlFSzfnOrTgOoi 4Q5038ogBl9BVdfZB2T24rf+bAVp85HokpS2mrg40hw2tt1cEEjGGBD+qLbXcmWWr+Sf vq3k/cOQ5MV1AyF1qXikI1Zc1eOwDNTn5Tw4+yUnhQ2jKn6O39771oXU9WiCpsYmY0/Y Jku0YNu9TBXKCKmtL1NH3NH6z1DiwEVtRPVs4LaN6jknXEJFVCnoFJn6ilnh/WFE4UY7 qcVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=jqZsGwh+s8FN2ofPqKQuOsVZqEd+6p4/+zeoKmHK+LQ=; b=YHiGRXSQfbUrBH5K7kKldVmTaPwwOIxybNCmKpIzs+D3dgmdJpY+stEpfBaK2NjM16 ajqqQRik5PymdRrv2p3iFlg6dsec7iRvw7wIuvv0jVkYWDlG4ZBuJwdB6LHHwaCu7YKF U1Os4v3ym41d1J6rq7QOPiosUoLIHQYEo6LX9KSAW4LUmB/agnSedzC6e7jvG+XHgJMU mlQBmWjbK5QFEaDoqs2MveOu49xJNdcM2gTss+w96P47SkjezeNvrGCiOyXX78lVMOCD owPdx1FuxsgxPUDP+VQENYqqGX6rbJr5xIGVzhEKnv4Zm6qJouhfuJKAGU9lPJkovJsR EeJw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u23si954143ejx.633.2021.08.16.20.42.22; Mon, 16 Aug 2021 20:42:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234061AbhHQDks (ORCPT + 99 others); Mon, 16 Aug 2021 23:40:48 -0400 Received: from out30-45.freemail.mail.aliyun.com ([115.124.30.45]:41478 "EHLO out30-45.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236783AbhHQDkq (ORCPT ); Mon, 16 Aug 2021 23:40:46 -0400 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R101e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04423;MF=xianting.tian@linux.alibaba.com;NM=1;PH=DS;RN=3;SR=0;TI=SMTPD_---0UjIiCnh_1629171612; Received: from B-LB6YLVDL-0141.local(mailfrom:xianting.tian@linux.alibaba.com fp:SMTPD_---0UjIiCnh_1629171612) by smtp.aliyun-inc.com(127.0.0.1); Tue, 17 Aug 2021 11:40:13 +0800 Subject: Re: [PATCH] mailbox: fix a UAF bug in msg_submit() To: Guo Ren , jassisinghbrar@gmail.com Cc: Linux Kernel Mailing List References: <20210806121521.124365-1-xianting.tian@linux.alibaba.com> From: Xianting TIan Message-ID: <2ea40053-ffe6-4a61-4cba-66dbc6601026@linux.alibaba.com> Date: Tue, 17 Aug 2021 11:40:12 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2021/8/11 上午10:37, Guo Ren 写道: > On Fri, Aug 6, 2021 at 8:15 PM Xianting Tian > wrote: >> We met a UAF issue during our mailbox testing. >> >> In synchronous mailbox, we use mbox_send_message() to send a message >> and wait for completion. mbox_send_message() calls msg_submit() to >> send the message for the first time, if timeout, it will send the >> message in tx_tick() for the second time. > Yes, in chan->cl->tx_block will give a second chance to transmit the > msg in tx_tick. If chan->mbox->ops->send_data returned error again, > then mbox_send_message would return to the user's driver, and the user > driver would free the mssg which is still in chan->msg_data & > msg_count. Then it caused "Used After Free" problem. > > The current second chance for chan->cl->tx_block is tricky and it's > hard for mailbox driver and user driver implementation in the way. > I recommend deleting the second chance mechanism totally to make the > code understandable. (If first failed, 2th & 3th & 4th would be still > failed.) > Thanks Guo Ren's comments, Hi Jassi Brar, Could you comment this patch, wthether it is a issue or not?  we look forward to your reply. >> We assume message sending failed for both two times, then the message >> will be still in the internal buffer of a chan(chan->msg_data[idx]). >> It will be send again in the same way when mbox_send_message() is >> called next time. But, at this time this message (chan->msg_data[idx]) >> may be a UAF pointer, as the message is passed to mailbox core by user. >> User may free it after last calling of mbox_send_message() returned >> or not. Who knows!!! >> >> In this patch, if the first time sending timeout, we pass timeout >> info(-ETIME) to msg_submit() when do the second time sending by >> tx_tick(). If it still send failed (chan->mbox->ops->send_data() >> returned non-zero value) in the second time, we will give up this >> message(chan->msg_count--) sending. It doesn't matter, user can chose >> to send it again. >> >> Actually, the issue I described above doesn't exist if >> 'chan->mbox->ops->send_data()' always return 0. Because if it always >> returns 0, we will always do 'chan->msg_count—' regardless of message >> sending success or failure. We have such mailbox driver, for example, >> hi6220_mbox_send_data() always return 0. But we still have mailbox >> drivers, which don't always return 0, for example, flexrm_send_data() >> of drivers/mailbox/bcm-flexrm-mailbox.c. >> >> Signed-off-by: Xianting Tian >> --- >> drivers/mailbox/mailbox.c | 8 ++++---- >> 1 file changed, 4 insertions(+), 4 deletions(-) >> >> diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c >> index 3e7d4b20a..3e010aafa 100644 >> --- a/drivers/mailbox/mailbox.c >> +++ b/drivers/mailbox/mailbox.c >> @@ -50,7 +50,7 @@ static int add_to_rbuf(struct mbox_chan *chan, void *mssg) >> return idx; >> } >> >> -static void msg_submit(struct mbox_chan *chan) >> +static void msg_submit(struct mbox_chan *chan, int last_submit) >> { >> unsigned count, idx; >> unsigned long flags; >> @@ -75,7 +75,7 @@ static void msg_submit(struct mbox_chan *chan) >> chan->cl->tx_prepare(chan->cl, data); >> /* Try to submit a message to the MBOX controller */ >> err = chan->mbox->ops->send_data(chan, data); >> - if (!err) { >> + if (!err || last_submit == -ETIME) { >> chan->active_req = data; >> chan->msg_count--; >> } >> @@ -101,7 +101,7 @@ static void tx_tick(struct mbox_chan *chan, int r) >> spin_unlock_irqrestore(&chan->lock, flags); >> >> /* Submit next message */ >> - msg_submit(chan); >> + msg_submit(chan, r); >> >> if (!mssg) >> return; >> @@ -260,7 +260,7 @@ int mbox_send_message(struct mbox_chan *chan, void *mssg) >> return t; >> } >> >> - msg_submit(chan); >> + msg_submit(chan, 0); >> >> if (chan->cl->tx_block) { >> unsigned long wait; >> -- >> 2.17.1 >> >