Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp979151rwe; Thu, 1 Sep 2022 10:24:35 -0700 (PDT) X-Google-Smtp-Source: AA6agR6YvVmNRq4WaNJFVtyn1qy6bH/eQt5B8/TSjwp0P5YDeVtmT15hDs8Y3JUUWR8XMHcU/RS4 X-Received: by 2002:a17:902:ea02:b0:16f:11bf:f018 with SMTP id s2-20020a170902ea0200b0016f11bff018mr31154597plg.150.1662053075686; Thu, 01 Sep 2022 10:24:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662053075; cv=none; d=google.com; s=arc-20160816; b=GyjZgCS1nDHF78TrGIKxxUjiGC9S09RCwARMHL5k1BVML8INxc1zyvdekLu0BkrFE4 T/IKnb9/LOPSrm6shE5Lbz0vdYkP2JrwnYx741RhkLE3H8n0Xjyn8VibgXADCdLgbAbo N5fo3ovIPKHrPqWD60QEVVz3s/HsDiMh7am8D8r3CDw5jfkcyMykEuuCc9JZFRqRFoV2 TtuT+il43faQahDNCBi/WOWPRXFMaF5Eles5eOInCdWIbJk4NXkpDqJ5vLRB+Rca/xoQ +pcZUvtBgCm3zitFlJrdrurps2WyQ55BNzu1Zh481Us14IAjSVwxHCBnh9L20aOjHSN6 VJNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=ceLO303KUmrfBpUmDlWW6bfcpSkbAE/shqJJVjKA2W8=; b=WKaoGDYZvrtKWbxokopRo8haN8NCsy37j5YjijfGlMsvCw9HWWel90WclpervqvSz8 2GYN0ckq/hD1E702Um34yRQ4/zmFnaMUg8XpryrofrC6htjPQCPIrvyiQon/wtubz0QZ xN2vXIESmc6or2igHLTOJL3Q7/RJ4SxRNCHcd8rOD+kB7PHPa3q4Nt1jCtRogaDOlpP5 glulicT2EgiYyGoUoQhIlmJDPdlzmkXlMZgS3+5Hd2D38RAhJOeapwtJgHtIqxO2DgJr eNCRjJzmbq/z4wsZbDPcr3Mrehsds2RAlE6wFkGjmIrqAm0qWcduo8LHtLlBPu91dcUv y9DQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=SbnDKYkD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o16-20020a170902d4d000b00172c9d21efesi18929185plg.123.2022.09.01.10.24.18; Thu, 01 Sep 2022 10:24:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=SbnDKYkD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234710AbiIAPve (ORCPT + 99 others); Thu, 1 Sep 2022 11:51:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54766 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234654AbiIAPvP (ORCPT ); Thu, 1 Sep 2022 11:51:15 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4F3716BCCA for ; Thu, 1 Sep 2022 08:51:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1662047473; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ceLO303KUmrfBpUmDlWW6bfcpSkbAE/shqJJVjKA2W8=; b=SbnDKYkDQcxDIFRyc7dyLbfTgkopZT4KX/sfXAzTDNed56LCSjTbDgVDGeluzDDnhhB8wV fPwCUHojOdXl1BFa1nvjZTPhjlI9NRJJCZsCy8j+FtPd5poVjGN+1wsVr3vx0XRQhNrd9t uAIh98sE3r0h5bdZzE4gzYY4GKAGOs4= Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-564-Ai_WT7FFNAuiTWxcwhIvVQ-1; Thu, 01 Sep 2022 11:51:12 -0400 X-MC-Unique: Ai_WT7FFNAuiTWxcwhIvVQ-1 Received: by mail-ed1-f71.google.com with SMTP id w19-20020a05640234d300b004482dd03feeso9978918edc.0 for ; Thu, 01 Sep 2022 08:51:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date; bh=ceLO303KUmrfBpUmDlWW6bfcpSkbAE/shqJJVjKA2W8=; b=PAX+up21qe3GTBpVC2Qd0edmfrH23+KefHWypXEE2wI4Tvjq3BHdrZKLox+qfvxOE6 6zsPSSvOl9pqKc6qjEyW8NMe05q3VVX+3V1r0ImJL1CfT94Va5kxcpQ08CYy/T0/sWpF bM7g2sFZL94lg5gU722aRnHFYHHJU7ScpqcEKEtEaNgg+oT+WmbeyAjk94KMlTtOublf wP32Lnlp+tL4rherskWZ1BX+Krf4B9oXGlhY8CZvPKp7fCcYQ8k0UPJFhNjAbPpO7zpb Pq0bjSt5k5izb2dOTgQ/Adtf2uueYgwKaL81t1fJSqLguMgJp8YIPtBOASums5Awj2IG Ev1Q== X-Gm-Message-State: ACgBeo0Dmt63PPm+TNNaMkx5lP73J+ErTx3BhXPj+1ysYe+Xdf1C7Ktd 840ttreOThGV5J4hIk/5miGqqu3O8W2uxPDZBXUvoRXl4Y9n//kVGEyNvgl6fiwtLzWdeWSrH4h eMVGn0G20c+qGG5g67vcM4/JA X-Received: by 2002:a17:906:974b:b0:733:10e:b940 with SMTP id o11-20020a170906974b00b00733010eb940mr24299164ejy.326.1662047471324; Thu, 01 Sep 2022 08:51:11 -0700 (PDT) X-Received: by 2002:a17:906:974b:b0:733:10e:b940 with SMTP id o11-20020a170906974b00b00733010eb940mr24299146ejy.326.1662047471079; Thu, 01 Sep 2022 08:51:11 -0700 (PDT) Received: from ?IPV6:2001:1c00:c1e:bf00:d69d:5353:dba5:ee81? (2001-1c00-0c1e-bf00-d69d-5353-dba5-ee81.cable.dynamic.v6.ziggo.nl. [2001:1c00:c1e:bf00:d69d:5353:dba5:ee81]) by smtp.gmail.com with ESMTPSA id eh22-20020a0564020f9600b0044792480994sm1525249edb.68.2022.09.01.08.51.10 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 01 Sep 2022 08:51:10 -0700 (PDT) Message-ID: <42bb615d-995a-5bcb-d481-f0d6054d4398@redhat.com> Date: Thu, 1 Sep 2022 17:51:10 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 Subject: Re: [PATCH v1 1/1] platform/x86: p2sb: Fix UAF when caller uses resource name Content-Language: en-US To: Andy Shevchenko , platform-driver-x86@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Mark Gross , kernel test robot , Mika Westerberg References: <20220901113406.65876-1-andriy.shevchenko@linux.intel.com> From: Hans de Goede In-Reply-To: <20220901113406.65876-1-andriy.shevchenko@linux.intel.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On 9/1/22 13:34, Andy Shevchenko wrote: > We have to copy only selected fields from the original resource. > Because a PCI device will be removed immediately after getting > its resources, we may not use any allocated data, hence we may > not copy any pointers. > > Consider the following scenario: > > 1/ a caller of p2sb_bar() gets the resource; > > 2/ the resource has been copied by platform_device_add_data() > in order to create a platform device; > > 3/ the platform device creation will call for the device driver's > ->probe() as soon as a match found; > > 4/ the ->probe() takes given resources (see 2/) and tries to > access one of its field, i.e. 'name', in the > __devm_ioremap_resource() to create a pretty looking output; > > 5/ but the 'name' is a dangling pointer because p2sb_bar() > removed a PCI device, which 'name' had been copied to > the caller's memory. > > 6/ UAF (Use-After-Free) as a result. > > Kudos to Mika for the initial analisys of the issue. > > Fixes: 9745fb07474f ("platform/x86/intel: Add Primary to Sideband (P2SB) bridge support") > Reported-by: kernel test robot > Suggested-by: Mika Westerberg > Link: https://lore.kernel.org/linux-i2c/YvPCbnKqDiL2XEKp@xsang-OptiPlex-9020/ > Link: https://lore.kernel.org/linux-i2c/YtjAswDKfiuDfWYs@xsang-OptiPlex-9020/ > Signed-off-by: Andy Shevchenko Thank you for your patch, I've applied this patch to my review-hans branch: https://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86.git/log/?h=review-hans Note it will show up in my review-hans branch once I've pushed my local branch there, which might take a while. Once I've run some tests on this branch the patches there will be added to the platform-drivers-x86/for-next branch and eventually will be included in the pdx86 pull-request to Linus for the next merge-window. Regards, Hans > --- > drivers/platform/x86/p2sb.c | 18 ++++++++++++++++-- > 1 file changed, 16 insertions(+), 2 deletions(-) > > diff --git a/drivers/platform/x86/p2sb.c b/drivers/platform/x86/p2sb.c > index fb2e141f3eb8..384d0962ae93 100644 > --- a/drivers/platform/x86/p2sb.c > +++ b/drivers/platform/x86/p2sb.c > @@ -42,10 +42,24 @@ static int p2sb_get_devfn(unsigned int *devfn) > return 0; > } > > +/* Copy resource from the first BAR of the device in question */ > static int p2sb_read_bar0(struct pci_dev *pdev, struct resource *mem) > { > - /* Copy resource from the first BAR of the device in question */ > - *mem = pdev->resource[0]; > + struct resource *bar0 = &pdev->resource[0]; > + > + /* Make sure we have no dangling pointers in the output */ > + memset(mem, 0, sizeof(*mem)); > + > + /* > + * We copy only selected fields from the original resource. > + * Because a PCI device will be removed soon, we may not use > + * any allocated data, hence we may not copy any pointers. > + */ > + mem->start = bar0->start; > + mem->end = bar0->end; > + mem->flags = bar0->flags; > + mem->desc = bar0->desc; > + > return 0; > } >