Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp4229941rwb; Sun, 13 Nov 2022 01:28:22 -0800 (PST) X-Google-Smtp-Source: AA0mqf7iMnt3J0EOIhdJwbjvGku3VyGtIdDzRrdXxeoWW8EDhvOy9eDBonI4ORG7sKnKPw6fn/ZE X-Received: by 2002:a05:6a00:4ac9:b0:56d:6450:9e49 with SMTP id ds9-20020a056a004ac900b0056d64509e49mr9550560pfb.54.1668331701919; Sun, 13 Nov 2022 01:28:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668331701; cv=none; d=google.com; s=arc-20160816; b=quzsFQjeZDoF0CQ7Tvxhd88BNGQ+BWGw1BiVzy2c2fpAt+smOw4E6JduqSF1pBs9VK nEve1UHPjYGTDriWHsfC1IiMIN344cNC+1iCmLJYE2CvmgVV1INS4uadajDN/rUrEflo hWxnCqeIW1IgYPi+x/x+EhXYZVVb3D/zPyOYsP+G3ePr3gTC2ZE/a5BcDfUfTMGzcyNw 3WjwM96Nf3aPDseJOycsWdjFETF4by8x7vqo2IydhT9wvmKBnFUjKOSymEadflBy0pWL fhdIamc+tzkLAkvt/vQ/7RCurYFuA7YtTC1IhRS9ORbwtSNoMnGGq1lXl1Q6872xUyax dLCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=HAviD9zbWLptU+xHtVTfpcYj6auJhtOhDq/aATLFMfk=; b=CQnx+YpGV6KmFTyFLQqVb+IV3HBqLBVUiG43vxUKd0izrVxIEyqpO/HKbJHGKK9K1/ b7P2fvHa31Ptt87xvmmyBVLucrMJk779isNaOp5YTDtpk9zBf0E0J/eWjsL9HWwh7g0x FLdVdysfmhEXm57irCUdd5jjYO1RkqSa3UNF40Dqn0DlUJ4h4luOkTjyUpuY8M+hgLHQ qchdvYMO6CmWbHV5YzEmJqL1q0jTmKqA0Z87sbhXhTA4gtuIKgAxLesibGCX0XYRh/Wj kJscHf8v0CRKUQB7wnQCpcG38joJKCA6zekTljRs+dq19wageli3QRkQT//i9JiY9981 fiCg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=PaC1RsJN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h6-20020a635306000000b00464748b58c7si7074437pgb.838.2022.11.13.01.28.09; Sun, 13 Nov 2022 01:28:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=PaC1RsJN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235237AbiKMIaY (ORCPT + 90 others); Sun, 13 Nov 2022 03:30:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44192 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231252AbiKMIaW (ORCPT ); Sun, 13 Nov 2022 03:30:22 -0500 Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 65465D112; Sun, 13 Nov 2022 00:30:21 -0800 (PST) Received: by mail-wr1-x42f.google.com with SMTP id z14so11986033wrn.7; Sun, 13 Nov 2022 00:30:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=HAviD9zbWLptU+xHtVTfpcYj6auJhtOhDq/aATLFMfk=; b=PaC1RsJNWEsOn9Ec2BFyhjzZwG/RlX6d+VMXfi+AukESgZDglz9L+I16IdMdP+v0WF kFQLaslaT6740COGF+wWOnq1Dj1chAgKB8oGPiepHaBxJCAc9Lg4MEck8m7xbJpYQXGx 3sv+LX+1OF3kci3vdEYa5EXYt6Bh92h/ki3ccMylRO75C1aJXCKcDqL+v+YYYDvA+KAn pBWuKtnxbsQI7DWPztBLy9kmtlGqB4RVveAhewfEoqNbtIJ6YBBeNwewmbnqIIaQbdjS n6qDZi/cZT9c6c/yigeUbZ+ljPTgubVqP3LL2b/7rzL7s0niQNzXfbL/8fUjriXl8xyY EJnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=HAviD9zbWLptU+xHtVTfpcYj6auJhtOhDq/aATLFMfk=; b=iz+kQRc119+u6xa9mhHlUPMQq+ZP3kfzVZgTInu3SdV+wkwVkDiH+j4ipeY3HyHBpv tbv85ELR0Ultu5ml2ruQ+QzECs1V1sSVp3n4Ztx0Bh0hKywpRBvqfa8sJHJIr4/ukIcU kDOdyk9RglzEBq5gFv8YNtruto/TvXMoRzqxramQlcvzc9lMUo/2fADDfTj7FTxXhSlf UqvitcU54akYkIszkmROco3pHqFsJN3mDirMZtYRo/j2SgFvMpJY/Sahu2OzQYT4kLs4 tsAJmmbWMq+/8nAK1RvJfTzYruVqwEjUSEudls2305Tjo6QtbR4C7CN5AlVXPDK/vadr 1LNw== X-Gm-Message-State: ANoB5plCVTMAoFEwAS/a6AlIZ8iwCMkRzm70hTeUtBHdQ3SCK/RHin09 AOGV/GWDZnYZgfw/hGCP2oI= X-Received: by 2002:adf:ce88:0:b0:23a:ce24:1bf0 with SMTP id r8-20020adfce88000000b0023ace241bf0mr4770831wrn.383.1668328219777; Sun, 13 Nov 2022 00:30:19 -0800 (PST) Received: from [89.138.235.186] (89-138-235-186.bb.netvision.net.il. [89.138.235.186]) by smtp.gmail.com with ESMTPSA id w16-20020a5d4050000000b002365b759b65sm6271882wrp.86.2022.11.13.00.30.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 13 Nov 2022 00:30:19 -0800 (PST) Message-ID: <2a8f59ac-9d49-ffa3-b035-809f2fac38ec@gmail.com> Date: Sun, 13 Nov 2022 10:30:16 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0 Subject: Re: [PATCH v2] char: xillybus: Prevent use-after-free due to race condition Content-Language: en-US To: Hyunwoo Kim Cc: gregkh@linuxfoundation.org, arnd@arndb.de, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, stern@rowland.harvard.edu References: <20221030094209.65916-1-eli.billauer@gmail.com> <20221113080558.GA5854@ubuntu> From: Eli Billauer In-Reply-To: <20221113080558.GA5854@ubuntu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13/11/2022 10:05, Hyunwoo Kim wrote: > Dear, > > Sorry for the late review. > > This patch cannot prevent the UAF scenario I presented: > ``` > cpu0 cpu1 > 1. xillyusb_open() > mutex_lock(&kref_mutex); // unaffected lock > xillybus_find_inode() > mutex_lock(&unit_mutex); > unit = iter; > mutex_unlock(&unit_mutex); > 2. xillyusb_disconnect() > xillybus_cleanup_chrdev() > mutex_lock(&unit_mutex); > kfree(unit); > mutex_unlock(&unit_mutex); > 3. *private_data = unit->private_data; // UAF > > ``` > > This is a UAF for 'unit', not a UAF for 'xdev'. > So, the added 'kref_mutex' has no effect. > You're correct. This submitted patch solves only one problem out of two. It prevents the content of @private_data to be freed, but you're right that @unit itself isn't protected well enough. The problem you're pointing at is that @unit can be freed before its attempted use, because the mutex is released too early. This is easily solved by moving down the mutex_unlock() call to after @unit has been used. Do you want the pleasure to submit this patch, or should I? Thanks, Eli