Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp999908pxb; Tue, 17 Aug 2021 01:02:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzF3KfHpAdQHFG/M7X/b1/6gUJBL2YFuWmxMiSRox6wKq41RHFcnMwhWWrbcmwDQRz4aZqz X-Received: by 2002:a92:c0c9:: with SMTP id t9mr1577200ilf.79.1629187367467; Tue, 17 Aug 2021 01:02:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629187367; cv=none; d=google.com; s=arc-20160816; b=GXWg4ih02BniL+AeQ+NWFvFc6GlUzYNrpjrko5O+lNvTqlcahcp7YM0JCAJ+807yCZ q2QaWA0kLY3czTE/dSXZOT8zPEylxpnzo67Ku/oy7WUNf8elzSZ5Y/WTVzmIOVnOHCqS MbymlsIMjA4vdDhP+lxEdmESZbrnMSrYOLs6zYFtXwZnzJkGAf/djmRzMMO4poFa9i7K h/tlOAEyuajiAExasdLCFuumcV6LO1IQ4nsjvf57DWHxnhQpSQwnfOwnr1d2xM+7wvUU okfvgUU76NsDyEtXuN1VeKdUl3VV2oYxBKMz8xouxdXMzvgyT7ctrVLPH3qZRWlGvtyB QtHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:references:cc:to:from :subject; bh=D0aMAwMIR1j2O61V5tXQNhBGNeVu6QcbFtPxw5zr/ME=; b=w7WxoTzXfE9B3mL+a2L92jeMlUPNu3U5mPWIm1dTllDe5ZUZ61+Suq/bIXRfggz8WZ pa/BO910jPcxembfngEa7YrafExBxF/IOi3quRfqxhEpxikpQRAignOHPc+rJayXj0PD FOYgTmG5w5seUmo1LC+O1w+GEuC0V8y4sq4Ape/HXJ/fCaDCv260LYqrXjPpZVuq6N4m GGRzEGCJ+XAHy0S0CEMVmbhrhVtobnypSeuovsluujdjtukTmyYsH///dyz7n3137JUv dgj+WWEY3aOm3S2qkQlVMipUbzthCXzEskBe90hyl0ObiV67PR1kP1gJLLp47OoP4BrE BOdQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r3si1707392ile.126.2021.08.17.01.02.18; Tue, 17 Aug 2021 01:02:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234693AbhHQIBo (ORCPT + 99 others); Tue, 17 Aug 2021 04:01:44 -0400 Received: from out30-43.freemail.mail.aliyun.com ([115.124.30.43]:57811 "EHLO out30-43.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234446AbhHQIBn (ORCPT ); Tue, 17 Aug 2021 04:01:43 -0400 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R111e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04394;MF=xianting.tian@linux.alibaba.com;NM=1;PH=DS;RN=3;SR=0;TI=SMTPD_---0UjKs9XH_1629187268; Received: from B-LB6YLVDL-0141.local(mailfrom:xianting.tian@linux.alibaba.com fp:SMTPD_---0UjKs9XH_1629187268) by smtp.aliyun-inc.com(127.0.0.1); Tue, 17 Aug 2021 16:01:09 +0800 Subject: Re: [PATCH] mailbox: fix a UAF bug in msg_submit() From: Xianting TIan To: Jassi Brar Cc: Linux Kernel Mailing List , guoren@kernel.org References: <20210806121521.124365-1-xianting.tian@linux.alibaba.com> <977740a4-c08d-663d-410e-3375d034d2e8@linux.alibaba.com> Message-ID: <26a45754-4227-5f20-8c7d-c320d3905b60@linux.alibaba.com> Date: Tue, 17 Aug 2021 16:01:08 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 In-Reply-To: <977740a4-c08d-663d-410e-3375d034d2e8@linux.alibaba.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2021/8/17 下午1:58, Xianting TIan 写道: > > 在 2021/8/17 下午12:29, Jassi Brar 写道: >> On Fri, Aug 6, 2021 at 7:15 AM Xianting Tian >> wrote: >>> We met a UAF issue during our mailbox testing. >>> >>> In synchronous mailbox, we use mbox_send_message() to send a message >>> and wait for completion. mbox_send_message() calls msg_submit() to >>> send the message for the first time, if timeout, it will send the >>> message in tx_tick() for the second time. >>> >> Seems like your controller's  .send_data() returns error. Can you >> please explain why it does so? Because >> send_data() only _accepts_ data for further transmission... which >> should seldom be a problem. > > Thanks for the comments, > > We developed virtio-mailbox for heterogeneous virtualization system. > > virtio-mailbox is based on the mialbox framework. > > In virtio framework, its send func 'virtqueue_add_outbuf()' may return > error, which caused .send_data() return error.  And also contains > other csenarios. > > But I think mailbox framework shouldn't depend on .send_data() always > return OK,  as .send_data() is implemented by mailbox hardware > manufacturer, which is not controlled by mailbox framework itself. > > You said 'seldom',  but it still possible we can meet such issue. sucn > as flexrm_send_data() of drivers/mailbox/bcm-flexrm-mailbox.c. > > I think mailbox framework should be work normaly no matter > .send_data() returns ok or not ok.  Do you think so? thanks Another solution is to ignore the return value of .send_data() in msg_submit(), change         err = chan->mbox->ops->send_data(chan, data);         if (!err) {                 chan->active_req = data;                 chan->msg_count--;         } to         chan->mbox->ops->send_data(chan, data);         chan->active_req = data;         chan->msg_count--; But the side effect of the solution is obvious, as if send failed in the first time, it will have no chance to sent it in tx_tick() for the second time. That is to say, no retry. So I think the solution in this patch is better. Looking forward to your further comments, thanks > >> >> thanks.