Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp924054pxb; Mon, 16 Aug 2021 22:42:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwQnZ3V186cD2KjdUlEGJZrBLtXEBhSrvySNPm4NHNN4XJ2ms/bnZujLztOTHN0gBLT3KRE X-Received: by 2002:a05:6402:31f2:: with SMTP id dy18mr2106691edb.267.1629178941032; Mon, 16 Aug 2021 22:42:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629178941; cv=none; d=google.com; s=arc-20160816; b=PFE6cqHg9v8a5dZGMjKMMbTcNHpwuZctzsFj52ytA0Gn88oEJVB4XKjGYz0R8MnhJ5 f8AoAZj9T6+W8DTKZrEeGhlY2XIp1wGKYB4Bn6R0FS/uXKwXdREKm58ezV4u8yUbgfLH ma2i/EyFxUnZkAoTwVjZzWz9ZnbVaiYBb9KffyswXkg9ny/GHwk1jkftCA8SaD3j+1hZ XIP2Ep1XnLIhfqVwtfC/b0ln7D+ykcUD0b38cQvUgehiMWzSAjm/kvvcIMn/Ao3TAY5W Lqgex4/JesIllSyyvL3gFnzeGXA8ZqtJy8AqNb+afuhVfFP7E08FW8YUV5L0E3zysJKl jalg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=OBnTL2OZUrVveiQmeegolwEYg5R1MylJsJB5KqSkGs4=; b=x43PF07kQhqCkSVhRJaE4zmi2/JEXapWJn2TGiiGbfcf7UVHNJIA2c7fC2890LdT1s QgDs/dlY/AuOVSRPHtaA+c102aCzIaj7NWneqpRCSzA8WxmhES1BIs+i8F5dD8JQLhbM ZAQSqNXOTw/NSElBvdyhbDxAouXZaeTLT8H4pktclSWHBwCdqpdLpLOPBspF+PaQTLiu etKztbjpAW0Kxw2RbqRQUevFrfV5PxYtcCZZdjdCSDnrjHveXjjr0+kETeuRHK2quFoh UCWE9J1NUGVU/F6Qee8PA/tYzuhXHQ3lBOBqWtBy5e4O5yMoF9muh7BFA2krSlxthpie SI2A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z21si1168423ejf.461.2021.08.16.22.41.57; Mon, 16 Aug 2021 22:42:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234163AbhHQFlM (ORCPT + 99 others); Tue, 17 Aug 2021 01:41:12 -0400 Received: from out30-43.freemail.mail.aliyun.com ([115.124.30.43]:33239 "EHLO out30-43.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233928AbhHQFlM (ORCPT ); Tue, 17 Aug 2021 01:41:12 -0400 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R551e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04400;MF=xianting.tian@linux.alibaba.com;NM=1;PH=DS;RN=3;SR=0;TI=SMTPD_---0UjJea36_1629178837; Received: from B-LB6YLVDL-0141.local(mailfrom:xianting.tian@linux.alibaba.com fp:SMTPD_---0UjJea36_1629178837) by smtp.aliyun-inc.com(127.0.0.1); Tue, 17 Aug 2021 13:40:38 +0800 Subject: Re: [PATCH] mailbox: fix a UAF bug in msg_submit() To: Jassi Brar Cc: Linux Kernel Mailing List , guoren@kernel.org References: <20210806121521.124365-1-xianting.tian@linux.alibaba.com> From: Xianting TIan Message-ID: <276286aa-b409-4506-563f-b8dc4f94b526@linux.alibaba.com> Date: Tue, 17 Aug 2021 13:40:37 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2021/8/17 下午12:29, Jassi Brar 写道: > On Fri, Aug 6, 2021 at 7:15 AM Xianting Tian > wrote: >> We met a UAF issue during our mailbox testing. >> >> In synchronous mailbox, we use mbox_send_message() to send a message >> and wait for completion. mbox_send_message() calls msg_submit() to >> send the message for the first time, if timeout, it will send the >> message in tx_tick() for the second time. >> > Seems like your controller's .send_data() returns error. Can you > please explain why it does so? Because > send_data() only _accepts_ data for further transmission... which > should seldom be a problem. > > thanks.