Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
MIME-Version: 1.0
References: <20230323013655.366-1-k1rh4.lee@gmail.com> <CAJkuJRjFCXkS+osc8ezpAw0E2W7WMAJnnxMt_cs4deqgm5OzHw@mail.gmail.com>
 <2023042702-shuffling-tweet-d9f6@gregkh>
In-Reply-To: <2023042702-shuffling-tweet-d9f6@gregkh>
From:   sangsup lee <k1rh4.lee@gmail.com>
Date:   Fri, 28 Apr 2023 14:00:04 +0900
Message-ID: <CAJkuJRiJYLL2pxdRF_R_FZ8_yHGQziyhSmecypMBX04WFdv86Q@mail.gmail.com>
Subject: Re: [PATCH v2] misc: fastrpc: Fix a Use after-free-bug by race condition
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc:     Srinivas Kandagatla <srinivas.kandagatla@linaro.org>,
        Amol Maheshwari <amahesh@qti.qualcomm.com>,
        Arnd Bergmann <arnd@arndb.de>, linux-arm-msm@vger.kernel.org,
        linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk

I apologize for recognizing the email in the TOP POST format. I missed
the comment in the previous email.

2023=EB=85=84 4=EC=9B=94 27=EC=9D=BC (=EB=AA=A9) =EC=98=A4=ED=9B=84 6:52, G=
reg Kroah-Hartman <gregkh@linuxfoundation.org>=EB=8B=98=EC=9D=B4 =EC=9E=91=
=EC=84=B1:
>
> On Thu, Apr 27, 2023 at 06:29:16PM +0900, sangsup lee wrote:
> > Is there any comment for this issue?
>
> What issue?
>
> > (reference: https://www.spinics.net/lists/kernel/msg4731408.html)
>
> Please use lore.kernel.org links, we have no control over any other
> random email archive .
>
> And the above link just points to this proposed patch.
>
> >
> >
> > 2023=EB=85=84 3=EC=9B=94 23=EC=9D=BC (=EB=AA=A9) =EC=98=A4=EC=A0=84 10:=
37, Sangsup Lee <k1rh4.lee@gmail.com>=EB=8B=98=EC=9D=B4 =EC=9E=91=EC=84=B1:
> > >
> > > From: Sangsup lee <k1rh4.lee@gmail.com>
> > >
> > > This patch adds mutex_lock for fixing an Use-after-free bug.
> > > fastrpc_req_munmap_impl can be called concurrently in multi-threded e=
nvironments.
> > > The buf which is allocated by list_for_each_safe can be used after an=
other thread frees it.
>
> How was this tested?
>

I was unable to configure the environment in which this code is running.
Therefore, I could not go through dynamic testing for the related issue.
However, I found vulnerabilities in similar types of functions
in other drivers in the mobile environment, so I think this code is
also problematic.

> > >
> > > Signed-off-by: Sangsup lee <k1rh4.lee@gmail.com>
> > > ---
> > >  V1 -> V2: moving the locking to ioctl.
> > >
> > >  drivers/misc/fastrpc.c | 2 ++
> > >  1 file changed, 2 insertions(+)
> > >
> > > diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
> > > index 93ebd174d848..aa1cf0e9f4ed 100644
> > > --- a/drivers/misc/fastrpc.c
> > > +++ b/drivers/misc/fastrpc.c
> > > @@ -1901,7 +1901,9 @@ static long fastrpc_device_ioctl(struct file *f=
ile, unsigned int cmd,
> > >                 err =3D fastrpc_req_mmap(fl, argp);
> > >                 break;
> > >         case FASTRPC_IOCTL_MUNMAP:
> > > +               mutex_lock(&fl->mutex);
> > >                 err =3D fastrpc_req_munmap(fl, argp);
> > > +               mutex_unlock(&fl->mutex);
>
> Are you sure you can call this function with the lock?  If so, why isn't
> the mmap ioctl also locked?

I am convinced that FASTRPC_IOCTL_MUNMAP can lead to a race condition bug.
However, as I mentioned in patch v1, I am not an expert in fastrpc.
I worried about the side effects of the code I suggested.
So, I asked you to recommend which code to use, and this is the code
that was recommended to me.
And I didn't check the mmap function because I couldn't find a bug in mmap.

>
> thanks,
>
> greg k-h