Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp6289378rwb; Wed, 18 Jan 2023 03:33:22 -0800 (PST) X-Google-Smtp-Source: AMrXdXs3/RgU0nwOBXReF/bZ0Fx2/QhO3vfhyonTv6fUNh9s2P5TMY9CD+gPQotDoNEHc5FdR5k6 X-Received: by 2002:a17:907:7f14:b0:84d:3e5b:7c02 with SMTP id qf20-20020a1709077f1400b0084d3e5b7c02mr3729570ejc.22.1674041602481; Wed, 18 Jan 2023 03:33:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674041602; cv=none; d=google.com; s=arc-20160816; b=C8L/s2Nl453l9oZ/zt1fxPkKWeAox5IhVxBmaTIGm8mV+R4LD/e36M7pQy49ew7EGD 6MARCU8xg5h2YZX8Onc9s2QFUGMFLykprsxNL1Sjv+DfHgQOpqXEJaLgkAESG4I2TgHV RQOWclaMHpZ7ERiRGr7FM4TMNcWU1wKXQo9GZkZ+wgIarlDNVbix0EJalLVOYu9SA0f+ yV6XnHA638I1CMKakJSbB4JR6XscmuBVBcLIvkHCGpiVaoOtoyo4WX0LGZtN+L4P1yif mkBIQ9nORtRoTWqILXNLKAFGDHWXl9+fxBMSRWJ+NqjwNa3uTfKnzJSKESGYQd4KQHfz ya5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=8SF1I2mUMtMN2UiiMCS1UxmIVtDa5fspVg5r8FzNWO8=; b=gXP9ORpnEHhDNBNuyyo5NOW9pLFAuvNSTT42Q4YlY7+3d3NPBATwjXchlxLa+kB7GV MHonieqYsO99iK5DyhXUrirSHpKcdEfkoXlcbDIHL+DotQVny+VzvFP1lurCycqWq4SV 3fgtH80W7+ELsEFlTD5dA6oUUHTbQSAhqQshUV0uQD0vH0B0ZF+zLZKuZPRJmGJHtqr4 LNOuGV0A5iaI1iM+KaU8uwAqBQDrVw2mLNJmcnHl1nJE4X3jGgQAaAiMapJUSanININB CGEhuWxNmGQ2OnEZ2bN/6Uo1/fZ+r8olBTvr+Rsg6Fy6/ENZGbKAqcNVI5khzET2br00 198Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xs4all.nl Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id du11-20020a17090772cb00b00870e204d41fsi9243115ejc.564.2023.01.18.03.33.11; Wed, 18 Jan 2023 03:33:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xs4all.nl Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229627AbjARLLg (ORCPT + 45 others); Wed, 18 Jan 2023 06:11:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60190 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230225AbjARLKn (ORCPT ); Wed, 18 Jan 2023 06:10:43 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8762A402DA; Wed, 18 Jan 2023 02:18:27 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id DE9C9B81C12; Wed, 18 Jan 2023 10:18:25 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7F5FCC433D2; Wed, 18 Jan 2023 10:18:23 +0000 (UTC) Message-ID: Date: Wed, 18 Jan 2023 11:18:21 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 Subject: Re: [PATCH] media:cec:fix double free and uaf issue when cancel data during noblocking Content-Language: en-US To: korantwork@gmail.com, mchehab@kernel.org Cc: linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, Xinghui Li , loydlv References: <20230111123712.160882-1-korantwork@gmail.com> From: Hans Verkuil In-Reply-To: <20230111123712.160882-1-korantwork@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,NICE_REPLY_A,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Xinghui Li, On 11/01/2023 13:37, korantwork@gmail.com wrote: > From: Xinghui Li > > data could be free when it is not completed during transmit if > the opt is nonblocking.In this case,the regular free could lead > to double-free.So, add the return value '-EPERM' to mark the > above case. > > Reported-by: loydlv > Signed-off-by: Xinghui Li > --- > drivers/media/cec/core/cec-adap.c | 27 ++++++++++++++++----------- > 1 file changed, 16 insertions(+), 11 deletions(-) > > diff --git a/drivers/media/cec/core/cec-adap.c b/drivers/media/cec/core/cec-adap.c > index 4f5ab3cae8a7..c2ba8d1173c1 100644 > --- a/drivers/media/cec/core/cec-adap.c > +++ b/drivers/media/cec/core/cec-adap.c > @@ -311,7 +311,7 @@ static void cec_post_state_event(struct cec_adapter *adap) > * > * This function is called with adap->lock held. > */ > -static void cec_data_completed(struct cec_data *data) > +static int cec_data_completed(struct cec_data *data) > { > /* > * Delete this transmit from the filehandle's xfer_list since > @@ -339,7 +339,9 @@ static void cec_data_completed(struct cec_data *data) > if (data->fh) > cec_queue_msg_fh(data->fh, &data->msg); > kfree(data); > + return -EPERM; This free is called if data->blocking is false... > } > + return 0; > } > > /* > @@ -349,7 +351,7 @@ static void cec_data_completed(struct cec_data *data) > * > * This function is called with adap->lock held. > */ > -static void cec_data_cancel(struct cec_data *data, u8 tx_status, u8 rx_status) > +static int cec_data_cancel(struct cec_data *data, u8 tx_status, u8 rx_status) > { > struct cec_adapter *adap = data->adap; > > @@ -388,7 +390,7 @@ static void cec_data_cancel(struct cec_data *data, u8 tx_status, u8 rx_status) > /* Allow drivers to process the message first */ > call_op(adap, received, &data->msg); > > - cec_data_completed(data); > + return cec_data_completed(data); > } > > /* > @@ -744,6 +746,7 @@ int cec_transmit_msg_fh(struct cec_adapter *adap, struct cec_msg *msg, > { > struct cec_data *data; > bool is_raw = msg_is_raw(msg); > + int ret = 0; > > if (adap->devnode.unregistered) > return -ENODEV; > @@ -916,18 +919,20 @@ int cec_transmit_msg_fh(struct cec_adapter *adap, struct cec_msg *msg, > /* Cancel the transmit if it was interrupted */ > if (!data->completed) { > if (data->msg.tx_status & CEC_TX_STATUS_OK) > - cec_data_cancel(data, CEC_TX_STATUS_OK, CEC_RX_STATUS_ABORTED); > + ret = cec_data_cancel(data, CEC_TX_STATUS_OK, CEC_RX_STATUS_ABORTED); > else > - cec_data_cancel(data, CEC_TX_STATUS_ABORTED, 0); > + ret = cec_data_cancel(data, CEC_TX_STATUS_ABORTED, 0); > } > > /* The transmit completed (possibly with an error) */ > - *msg = data->msg; > - if (WARN_ON(!list_empty(&data->list))) > - list_del(&data->list); > - if (WARN_ON(!list_empty(&data->xfer_list))) > - list_del(&data->xfer_list); > - kfree(data); > + if (!ret) { > + *msg = data->msg; > + if (WARN_ON(!list_empty(&data->list))) > + list_del(&data->list); > + if (WARN_ON(!list_empty(&data->xfer_list))) > + list_del(&data->xfer_list); > + kfree(data); ...while this free is called if data->blocking is true. (see the 'if (!block) return 0;' further up). So I have my doubts if this patch actually addresses the correct issue. Do you have an actual debug trace of the UAF? Or even better, code to reproduce this issue. Regards, Hans > + } > return 0; > } >