Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp1610890pxb; Tue, 17 Aug 2021 16:34:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwNh5sKskFnzrS0K7j8UYW1bF7lpv1iY+cVx/DK1ou3D/X3J0J3aoN3E1RxyO/dyjsfTpxG X-Received: by 2002:a05:6e02:5aa:: with SMTP id k10mr4090522ils.301.1629243284897; Tue, 17 Aug 2021 16:34:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629243284; cv=none; d=google.com; s=arc-20160816; b=W1Ta3ue72QiI6M3sEqzDlKCtYW7Jb+HdPS+IemimnIo79TIcB8PuFjn7nKuvdE7kLl pAwR8eYGlD/4Xx7hEFKkqwwbSYOaZza8AlXd4TvHz98fR/tFKqFrN+QWvaoP4AIOf4y6 AerJ1BfufGGU6/bX5OMvmZAEZ1XHvoCTFSn1cgd/Rpy46FQJR6u6okiEL91KeDFka2yE vaCFHKKrXNDeT7st1eP7vUulc04+sEgjN78iZJQuhCF/q1eZadO79iWpkd95sg5D9uZd eVMmfOSD8lLqDLAuf1puzosek92NSZC2LZfSz7FRKMkxt+abXJr6nAoUKzkZ9MEa6jt4 hNmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=ebbyQDf83lAGccwLMh/Kj0c9OGvQBXHcZK7MoJ9b83Y=; b=s+H5pbt/6zNP31+JesaQq7YwCOYY9+W4BgoVmZb8DCI252UnR7jl/3k1t60SxrPwyj HIU+Dub1tknrtuYDuFzt7In4kIEQUVgKUnDN0XDnPVpvKPWgJ379biKpg70h7ui0qe+d 4/nv4d+psDCHGv3CrBYSDGqDVL/9c2H2o8qN9+Hgnk+taV0sJ6bVsUgZRx9E8ylL0IhP mQAuOaqmvIaycuOxB9qlzNi+n053qUjeYxGhcmckesfwBcHtvBfNYR+EhV49PRNbMqfD +66AZ3tI27I2wm2i+ROEzurwB3Set+xilDMmqSfV3S2mdAqz/y+7mGa3rm8nniLy7yKI P1oA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=dMI6TH2c; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ay9si4081611iob.85.2021.08.17.16.34.33; Tue, 17 Aug 2021 16:34:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=dMI6TH2c; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234360AbhHQXeZ (ORCPT + 99 others); Tue, 17 Aug 2021 19:34:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40398 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229466AbhHQXeY (ORCPT ); Tue, 17 Aug 2021 19:34:24 -0400 Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CB907C061764 for ; Tue, 17 Aug 2021 16:33:50 -0700 (PDT) Received: by mail-il1-x12d.google.com with SMTP id y3so283443ilm.6 for ; Tue, 17 Aug 2021 16:33:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=ebbyQDf83lAGccwLMh/Kj0c9OGvQBXHcZK7MoJ9b83Y=; b=dMI6TH2cPMXRz0w3x4mlOXmoteQh0DmYw/n+ewd3MbAq8T4cJ/idcugeP+UAALx8tf u+CPsJR8ZVxHQjmZb4ILik3LON4CF77S7ECXYA51mzhEZ3BQa92dEky+6fTNkG80URoA jFay5z/nM07lU6EuszflCWEU6AgD41XbtPOLC/QF028Sd2eJQZNd3TX1HhYaZv8XdsP0 +P+3Ss53/mCXM3A4Ya9SXU8d3uPuaPigiMPhk4FCtAFTxufXXFsZf/QU44D6anXvQB1Z au4oO1YajGd0ERhtNdFo458tH9hX0PuUJKt8TpPHADxdq8XCPUnUBo8EfVlOE59FzjBp aReg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=ebbyQDf83lAGccwLMh/Kj0c9OGvQBXHcZK7MoJ9b83Y=; b=lk4yHaSErGw3Tigz9LQsLvLVpzJZkD/3RHjnIr6ND9403dMN6Q9LccxW5cAjOLnXpd PkQdRg+TxoVe1VF4qw1SbZuIGGX7/gGEvXZqpnu/Rvy10oNdouP8o890fvXRuWvyIDdy KJbP066Smcq/EdnqZnqGLW/tL+15AICKXoGUEHf7CIvTLcQtLXkKTnhCHCycvI4VJ6yB Jf6HuWlWmgWV408VUP+5taSdyvkV7WXOe9425GoYnjS8SwOkxiGd/LiNltOh2yfquRcY Bc394wj7qMWWIvtWQEhQDdRZ6OFdXvg9f2nskar/sPqcCsA0XIP2hT546iT5twnzPy2v D1uA== X-Gm-Message-State: AOAM532eqmGNNeQRO6ZCaVmDL444OO24cdOLyf1w1+mYUqJK45WnSSmp /UscpRMq1QlT9NHRDfjBGGYcYq/cFMJtovrsa28= X-Received: by 2002:a92:c04e:: with SMTP id o14mr3828799ilf.289.1629243230206; Tue, 17 Aug 2021 16:33:50 -0700 (PDT) MIME-Version: 1.0 References: <20210806121521.124365-1-xianting.tian@linux.alibaba.com> <977740a4-c08d-663d-410e-3375d034d2e8@linux.alibaba.com> <26a45754-4227-5f20-8c7d-c320d3905b60@linux.alibaba.com> In-Reply-To: <26a45754-4227-5f20-8c7d-c320d3905b60@linux.alibaba.com> From: Jassi Brar Date: Tue, 17 Aug 2021 18:33:38 -0500 Message-ID: Subject: Re: [PATCH] mailbox: fix a UAF bug in msg_submit() To: Xianting TIan Cc: Linux Kernel Mailing List , guoren@kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 17, 2021 at 3:01 AM Xianting TIan wrote: > > > =E5=9C=A8 2021/8/17 =E4=B8=8B=E5=8D=881:58, Xianting TIan =E5=86=99=E9=81= =93: > > > > =E5=9C=A8 2021/8/17 =E4=B8=8B=E5=8D=8812:29, Jassi Brar =E5=86=99=E9=81= =93: > >> On Fri, Aug 6, 2021 at 7:15 AM Xianting Tian > >> wrote: > >>> We met a UAF issue during our mailbox testing. > >>> > >>> In synchronous mailbox, we use mbox_send_message() to send a message > >>> and wait for completion. mbox_send_message() calls msg_submit() to > >>> send the message for the first time, if timeout, it will send the > >>> message in tx_tick() for the second time. > >>> > >> Seems like your controller's .send_data() returns error. Can you > >> please explain why it does so? Because > >> send_data() only _accepts_ data for further transmission... which > >> should seldom be a problem. > > > > Thanks for the comments, > > > > We developed virtio-mailbox for heterogeneous virtualization system. > > > > virtio-mailbox is based on the mialbox framework. > > > > In virtio framework, its send func 'virtqueue_add_outbuf()' may return > > error, which caused .send_data() return error. And also contains > > other csenarios. > > > > But I think mailbox framework shouldn't depend on .send_data() always > > return OK, as .send_data() is implemented by mailbox hardware > > manufacturer, which is not controlled by mailbox framework itself. > > As I said, send_data() is basically "accepted for transfer", and not "transferred fine". > > You said 'seldom', but it still possible we can meet such issue. sucn > > as flexrm_send_data() of drivers/mailbox/bcm-flexrm-mailbox.c. > > The api is used not just in synchronous mode. And the flexrm driver relies on ACK method, not the synchronous one. > > I think mailbox framework should be work normaly no matter > > .send_data() returns ok or not ok. Do you think so? thanks > Normal is your controller driver should be ready after .startup() and accepts the first message submitted to it. If it does that, everything would work. > Another solution is to ignore the return value of .send_data() in > msg_submit(), > > change > > err =3D chan->mbox->ops->send_data(chan, data); > if (!err) { > chan->active_req =3D data; > chan->msg_count--; > } > > to > > chan->mbox->ops->send_data(chan, data); > chan->active_req =3D data; > chan->msg_count--; > Yes, I also have something like this in mind. Definitely not the hack in your original post. > But the side effect of the solution is obvious, as if send failed in the > first time, it will have no chance to sent it in tx_tick() for the > second time. That is to say, no retry. > The api doesn't retry. The .last_tx_done() is supposed to tell the api when is it ok to send a message. The following should work for you (though I believe your code needs fixing), which anyway, should have been there. diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c index 3e7d4b20ab34..9824a51b82fa 100644 --- a/drivers/mailbox/mailbox.c +++ b/drivers/mailbox/mailbox.c @@ -75,10 +75,12 @@ static void msg_submit(struct mbox_chan *chan) chan->cl->tx_prepare(chan->cl, data); /* Try to submit a message to the MBOX controller */ err =3D chan->mbox->ops->send_data(chan, data); - if (!err) { + if (!err) chan->active_req =3D data; - chan->msg_count--; - } + + /* done with another message */ + chan->msg_count--; + exit: spin_unlock_irqrestore(&chan->lock, flags);