Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp6832378rwn; Tue, 13 Sep 2022 09:33:40 -0700 (PDT) X-Google-Smtp-Source: AA6agR7OPe+QqPUVBZq4BXbzO0I3aNg5j0lYQUf+mslWtvKJtCLNVadffAwygQXAwye0xGHAV7aC X-Received: by 2002:a17:902:7c11:b0:172:71ea:e99 with SMTP id x17-20020a1709027c1100b0017271ea0e99mr7696369pll.73.1663086820587; Tue, 13 Sep 2022 09:33:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663086820; cv=none; d=google.com; s=arc-20160816; b=FuYBzo1YH5ICkchq48e2BMEc+k+OtrzUEtAetfer0b33UesUc81yN7MJa88VZ8Zy1R iF3xMx5x8Rm/EJ+y/pPMIFO65S3g4RpllYmio2C+4Hj/ILbVoND2OGdU0hJjYbyhcpIG Hqa8HXoGB1hXOK+TpZ1FnUPulDB0hnKcR6AjU2Tr0OFfOEE4Z/uLnqnXRFDE83USvOd8 z5cVRr2wdI1l/Hp5Oju0Tp/r4Uu2xPKngIbe7tytuTu1VGRHGmshK/Zmmqt8Twjp8SaE m5p8uAUeo1f/JEKcxblF+khkBnfBGT5qUqniFBGGqBuVCFrZrciPjghEKsn+4mhRAR9q o98g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:subject:cc:to:from:date:references:in-reply-to :message-id:mime-version:user-agent:feedback-id:dkim-signature :dkim-signature; bh=6WDVl+FxeNDCcpynjpOQNvlmq++3+t9EkUarQBFJbEg=; b=AzIgUNHNl+2v+qta1S31f4jz1aAohR75JJHf/cQ3IO3p1F/vwZioCzd6LlXug2AJai r5tADV7WeFNfB2IKjnDfw5h1ZfkNZoGgYvOwVslAWuDU2l38nKJK6gy6SdSSq4Udvrim wye4wevdyKD6ZbeGyh3piTcI2svFq339CKokQNsl932uvQGFwzLzPJzJJOoydDFJ3Ug6 2U4HBrHPmTBn8saKazVqztL9eK+jC8vCvzDLu2HKnPE54rbB8vcAzjT+zA8m0LaNGd3h glgbRzU2YRI+jIdqDACJDfFqEIJwBRAN3DUqHKFSdng9wBCtz6JJgu9nIaQEeTmyhJS7 NmHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (expired) header.i=@arndb.de header.s=fm1; dkim=neutral (expired) header.i=@messagingengine.com header.s=fm2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l71-20020a63914a000000b0041a4f4a2afesi11438473pge.411.2022.09.13.09.33.28; Tue, 13 Sep 2022 09:33:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=neutral (expired) header.i=@arndb.de header.s=fm1; dkim=neutral (expired) header.i=@messagingengine.com header.s=fm2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230320AbiIMQFN (ORCPT + 99 others); Tue, 13 Sep 2022 12:05:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37692 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232708AbiIMQEp (ORCPT ); Tue, 13 Sep 2022 12:04:45 -0400 Received: from wnew3-smtp.messagingengine.com (wnew3-smtp.messagingengine.com [64.147.123.17]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F29697ED4 for ; Tue, 13 Sep 2022 08:00:59 -0700 (PDT) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailnew.west.internal (Postfix) with ESMTP id E75862B059BE; Tue, 13 Sep 2022 10:59:50 -0400 (EDT) Received: from imap51 ([10.202.2.101]) by compute3.internal (MEProxy); Tue, 13 Sep 2022 10:59:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arndb.de; h=cc :cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1663081190; x=1663084790; bh=6WDVl+FxeN DCcpynjpOQNvlmq++3+t9EkUarQBFJbEg=; b=dyQyV+88NtFBn91R8cEh1EA7Jb dZi/IJx3lavBUXHvadO9QHL3OgKi+Va2Qf3D081GvS60G7MbDJCUFiQvEVDOS352 pILLLnnMapMZ0xFIA0EOJc+nM5GzvOVemArYdrkgaa+scfZRanMu6XimPZyfOvrF u+3f62NN2/xiOQ/Tt23JXEC3dii8lfZdnyZ2oOrxZDpQ4T2iTRERydY8218Wp+TS 7MpLEtTMSBMOitYi7ZyeAbInO4bsvpN1dn0S8Xm5Innb8B4On5Pts6n7mAoj6C/5 HnqocnuUvTt4MxY/kmzfn5pxxNPgC6x1w2IfUo+GAeoNAKmO4HMXvGQ8Xx7g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1663081190; x=1663084790; bh=6WDVl+FxeNDCcpynjpOQNvlmq++3 +t9EkUarQBFJbEg=; b=T0oWltYnjvCzxlO4eXzmefuYUZUgd08phr1TMP/YIJJY F/6/UvYTTmPnOYM2I3xELnOaRscmMis4SXLKfza7Mf7nVa/vRhsWjtdIzRLFjtym owEAN5XD3c3+SmRwab2gppq7Rq7deA01qnFOPxMoFgFBaXfqMQfu2oWzvqom1ja8 KKhYVkx4V+75XJSuZKcrtx8fZsIbTbwK7Eoki/a8+L+pMuMdzBmrDnpSI57dCngj nFVoiC8Y0PjJj4KUUw/TN17Mnpc5Rlue5HDye0be7GyUAbJ4T1HEYenn8WunZBXe ZXaECj1xj0safDu8m3uJ0VgqMLzQNNnU4XayJAFHNA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrfedugedgkeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvfevufgtsehttdertderredtnecuhfhrohhmpedftehr nhguuceuvghrghhmrghnnhdfuceorghrnhgusegrrhhnuggsrdguvgeqnecuggftrfgrth htvghrnhepvefhffeltdegheeffffhtdegvdehjedtgfekueevgfduffettedtkeekueef hedunecuffhomhgrihhnpehkvghrnhgvlhdrohhrghenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrrhhnugesrghrnhgusgdruggv X-ME-Proxy: Feedback-ID: i56a14606:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id 8B601B60086; Tue, 13 Sep 2022 10:59:49 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.7.0-alpha0-934-g6274855a4c-fm-20220913.002-g6274855a Mime-Version: 1.0 Message-Id: In-Reply-To: <20220913052020.GA85241@ubuntu> References: <20220913052020.GA85241@ubuntu> Date: Tue, 13 Sep 2022 16:59:29 +0200 From: "Arnd Bergmann" To: "Hyunwoo Kim" , "Greg Kroah-Hartman" , =?UTF-8?Q?Ilpo_J=C3=A4rvinen?= Cc: linux-kernel@vger.kernel.org, "Dominik Brodowski" , "Paul Fulghum" Subject: Re: [PATCH] pcmcia: synclink_cs: Fix use-after-free in mgslpc_ioctl() Content-Type: text/plain X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 13, 2022, at 7:20 AM, Hyunwoo Kim wrote: > A race condition may occur if the user physically removes > the pcmcia device while calling ioctl() for this tty device node. > > This is a race condition between the mgslpc_ioctl() function and > the mgslpc_detach() function, which may eventually result in UAF. > > So, add a refcount check to mgslpc_detach() to free the structure > after the tty device node is close()d. > > Signed-off-by: Hyunwoo Kim I think both your analysis and your patch are correct. You might want to spell out use-after-free in the changelog text, especially if you have a tool that finds more of these. > I think I've probably found a race-condition-to-UAF vulnerability in > drivers/char/pcmcia/synclink_cs.c. > However, this device driver is a pcmcia_driver based driver. > I haven't been able to get this old pcmcia adapter/device. > > If you don't mind, I'd like to ask the Linux kernel community to test if > this vulnerability actually triggers. Adding Paul Fulghum as the original driver author and Dominik Brodowski as the PCMCIA maintainer to Cc, if anyone still has the hardware, it would be one of them. https://lore.kernel.org/lkml/20220913052020.GA85241@ubuntu/ has the full email for reference. Even if nobody has the hardware, we could just apply the patch anyway. Alternatively, we could take a pass at removing most of the pcmcia_driver instances from the kernel including this one. Dominik has previously brought up phasing out the 16-bit PCMCIA support altogether at some point, and we may as well start by removing the ones that have no apparent users any more, at least that might avoid spending much time on fixing bugs that nobody cares about. I'm fairly sure the embedded users mostly care about CF storage cards, which is the one driver that definitely has to stay. Most other pcmcia drivers predate the git history, though there are a few that were only added in the past decade, these would be the most likely to still be in use: v5.2-rc1-82-g8674a8aa2c39 scsi: fdomain: Add PCMCIA support v4.9-rc3-54-gf2ed287bcc90 char/pcmcia: add scr24x_cs chip card interface driver v3.3-rc5-882-g2b61972b7421 can: sja1000: add support for PEAK-System PCMCIA card v3.1-rc7-1048-gfd734c6f25ae can/sja1000: add driver for EMS PCMCIA card v2.6.37-3908-g0a0b7a5f7a04 can: add driver for Softing card Arnd