Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp1610890pxb;
        Tue, 17 Aug 2021 16:34:45 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwNh5sKskFnzrS0K7j8UYW1bF7lpv1iY+cVx/DK1ou3D/X3J0J3aoN3E1RxyO/dyjsfTpxG
X-Received: by 2002:a05:6e02:5aa:: with SMTP id k10mr4090522ils.301.1629243284897;
        Tue, 17 Aug 2021 16:34:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1629243284; cv=none;
        d=google.com; s=arc-20160816;
        b=W1Ta3ue72QiI6M3sEqzDlKCtYW7Jb+HdPS+IemimnIo79TIcB8PuFjn7nKuvdE7kLl
         pAwR8eYGlD/4Xx7hEFKkqwwbSYOaZza8AlXd4TvHz98fR/tFKqFrN+QWvaoP4AIOf4y6
         AerJ1BfufGGU6/bX5OMvmZAEZ1XHvoCTFSn1cgd/Rpy46FQJR6u6okiEL91KeDFka2yE
         vaCFHKKrXNDeT7st1eP7vUulc04+sEgjN78iZJQuhCF/q1eZadO79iWpkd95sg5D9uZd
         eVMmfOSD8lLqDLAuf1puzosek92NSZC2LZfSz7FRKMkxt+abXJr6nAoUKzkZ9MEa6jt4
         hNmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=ebbyQDf83lAGccwLMh/Kj0c9OGvQBXHcZK7MoJ9b83Y=;
        b=s+H5pbt/6zNP31+JesaQq7YwCOYY9+W4BgoVmZb8DCI252UnR7jl/3k1t60SxrPwyj
         HIU+Dub1tknrtuYDuFzt7In4kIEQUVgKUnDN0XDnPVpvKPWgJ379biKpg70h7ui0qe+d
         4/nv4d+psDCHGv3CrBYSDGqDVL/9c2H2o8qN9+Hgnk+taV0sJ6bVsUgZRx9E8ylL0IhP
         mQAuOaqmvIaycuOxB9qlzNi+n053qUjeYxGhcmckesfwBcHtvBfNYR+EhV49PRNbMqfD
         +66AZ3tI27I2wm2i+ROEzurwB3Set+xilDMmqSfV3S2mdAqz/y+7mGa3rm8nniLy7yKI
         P1oA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=dMI6TH2c;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id ay9si4081611iob.85.2021.08.17.16.34.33;
        Tue, 17 Aug 2021 16:34:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=dMI6TH2c;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234360AbhHQXeZ (ORCPT <rfc822;liuchenandwork@gmail.com>
        + 99 others); Tue, 17 Aug 2021 19:34:25 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40398 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229466AbhHQXeY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Aug 2021 19:34:24 -0400
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CB907C061764
        for <linux-kernel@vger.kernel.org>; Tue, 17 Aug 2021 16:33:50 -0700 (PDT)
Received: by mail-il1-x12d.google.com with SMTP id y3so283443ilm.6
        for <linux-kernel@vger.kernel.org>; Tue, 17 Aug 2021 16:33:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=ebbyQDf83lAGccwLMh/Kj0c9OGvQBXHcZK7MoJ9b83Y=;
        b=dMI6TH2cPMXRz0w3x4mlOXmoteQh0DmYw/n+ewd3MbAq8T4cJ/idcugeP+UAALx8tf
         u+CPsJR8ZVxHQjmZb4ILik3LON4CF77S7ECXYA51mzhEZ3BQa92dEky+6fTNkG80URoA
         jFay5z/nM07lU6EuszflCWEU6AgD41XbtPOLC/QF028Sd2eJQZNd3TX1HhYaZv8XdsP0
         +P+3Ss53/mCXM3A4Ya9SXU8d3uPuaPigiMPhk4FCtAFTxufXXFsZf/QU44D6anXvQB1Z
         au4oO1YajGd0ERhtNdFo458tH9hX0PuUJKt8TpPHADxdq8XCPUnUBo8EfVlOE59FzjBp
         aReg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=ebbyQDf83lAGccwLMh/Kj0c9OGvQBXHcZK7MoJ9b83Y=;
        b=lk4yHaSErGw3Tigz9LQsLvLVpzJZkD/3RHjnIr6ND9403dMN6Q9LccxW5cAjOLnXpd
         PkQdRg+TxoVe1VF4qw1SbZuIGGX7/gGEvXZqpnu/Rvy10oNdouP8o890fvXRuWvyIDdy
         KJbP066Smcq/EdnqZnqGLW/tL+15AICKXoGUEHf7CIvTLcQtLXkKTnhCHCycvI4VJ6yB
         Jf6HuWlWmgWV408VUP+5taSdyvkV7WXOe9425GoYnjS8SwOkxiGd/LiNltOh2yfquRcY
         Bc394wj7qMWWIvtWQEhQDdRZ6OFdXvg9f2nskar/sPqcCsA0XIP2hT546iT5twnzPy2v
         D1uA==
X-Gm-Message-State: AOAM532eqmGNNeQRO6ZCaVmDL444OO24cdOLyf1w1+mYUqJK45WnSSmp
        /UscpRMq1QlT9NHRDfjBGGYcYq/cFMJtovrsa28=
X-Received: by 2002:a92:c04e:: with SMTP id o14mr3828799ilf.289.1629243230206;
 Tue, 17 Aug 2021 16:33:50 -0700 (PDT)
MIME-Version: 1.0
References: <20210806121521.124365-1-xianting.tian@linux.alibaba.com>
 <CABb+yY3i5aZQrimoWLTMQRY5WsOJ1FCGNxBN0Hz_=4qxUvoqSw@mail.gmail.com>
 <977740a4-c08d-663d-410e-3375d034d2e8@linux.alibaba.com> <26a45754-4227-5f20-8c7d-c320d3905b60@linux.alibaba.com>
In-Reply-To: <26a45754-4227-5f20-8c7d-c320d3905b60@linux.alibaba.com>
From:   Jassi Brar <jassisinghbrar@gmail.com>
Date:   Tue, 17 Aug 2021 18:33:38 -0500
Message-ID: <CABb+yY337=BVjHygv7wurj9Hh8-dj2aMyMnh54WL0CovyMfi_w@mail.gmail.com>
Subject: Re: [PATCH] mailbox: fix a UAF bug in msg_submit()
To:     Xianting TIan <xianting.tian@linux.alibaba.com>
Cc:     Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        guoren@kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Aug 17, 2021 at 3:01 AM Xianting TIan
<xianting.tian@linux.alibaba.com> wrote:
>
>
> =E5=9C=A8 2021/8/17 =E4=B8=8B=E5=8D=881:58, Xianting TIan =E5=86=99=E9=81=
=93:
> >
> > =E5=9C=A8 2021/8/17 =E4=B8=8B=E5=8D=8812:29, Jassi Brar =E5=86=99=E9=81=
=93:
> >> On Fri, Aug 6, 2021 at 7:15 AM Xianting Tian
> >> <xianting.tian@linux.alibaba.com> wrote:
> >>> We met a UAF issue during our mailbox testing.
> >>>
> >>> In synchronous mailbox, we use mbox_send_message() to send a message
> >>> and wait for completion. mbox_send_message() calls msg_submit() to
> >>> send the message for the first time, if timeout, it will send the
> >>> message in tx_tick() for the second time.
> >>>
> >> Seems like your controller's  .send_data() returns error. Can you
> >> please explain why it does so? Because
> >> send_data() only _accepts_ data for further transmission... which
> >> should seldom be a problem.
> >
> > Thanks for the comments,
> >
> > We developed virtio-mailbox for heterogeneous virtualization system.
> >
> > virtio-mailbox is based on the mialbox framework.
> >
> > In virtio framework, its send func 'virtqueue_add_outbuf()' may return
> > error, which caused .send_data() return error.  And also contains
> > other csenarios.
> >
> > But I think mailbox framework shouldn't depend on .send_data() always
> > return OK,  as .send_data() is implemented by mailbox hardware
> > manufacturer, which is not controlled by mailbox framework itself.
> >
As I said, send_data() is basically "accepted for transfer",  and not
"transferred fine".

> > You said 'seldom',  but it still possible we can meet such issue. sucn
> > as flexrm_send_data() of drivers/mailbox/bcm-flexrm-mailbox.c.
> >
The api is used not just in synchronous mode.
And the flexrm driver relies on ACK method, not the synchronous one.

> > I think mailbox framework should be work normaly no matter
> > .send_data() returns ok or not ok.  Do you think so? thanks
>
Normal is your controller driver should be ready after .startup() and
accepts the first message submitted to it.
If it does that, everything would work.

> Another solution is to ignore the return value of .send_data() in
> msg_submit(),
>
> change
>
>          err =3D chan->mbox->ops->send_data(chan, data);
>          if (!err) {
>                  chan->active_req =3D data;
>                  chan->msg_count--;
>          }
>
> to
>
>          chan->mbox->ops->send_data(chan, data);
>          chan->active_req =3D data;
>          chan->msg_count--;
>
Yes, I also have something like this in mind. Definitely not the hack
in your original post.

> But the side effect of the solution is obvious, as if send failed in the
> first time, it will have no chance to sent it in tx_tick() for the
> second time. That is to say, no retry.
>
The api doesn't retry.  The  .last_tx_done() is supposed to tell the
api when is it ok to send a message.

The following should work for you (though I believe your code needs
fixing), which anyway, should have been there.

diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
index 3e7d4b20ab34..9824a51b82fa 100644
--- a/drivers/mailbox/mailbox.c
+++ b/drivers/mailbox/mailbox.c
@@ -75,10 +75,12 @@ static void msg_submit(struct mbox_chan *chan)
                chan->cl->tx_prepare(chan->cl, data);
        /* Try to submit a message to the MBOX controller */
        err =3D chan->mbox->ops->send_data(chan, data);
-       if (!err) {
+       if (!err)
                chan->active_req =3D data;
-               chan->msg_count--;
-       }
+
+       /* done with another message */
+       chan->msg_count--;
+
 exit:
        spin_unlock_irqrestore(&chan->lock, flags);