Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp236988rdg;
        Thu, 12 Oct 2023 04:26:23 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFGxCfgBK+8OD8TqGXVXgyB19l9oavFHPOgvpuR8mpC96uUCHI0uHK7gUg3XEQ71hXJ2F+A
X-Received: by 2002:a17:90b:3ecc:b0:276:6be8:8bfe with SMTP id rm12-20020a17090b3ecc00b002766be88bfemr32769638pjb.23.1697109983542;
        Thu, 12 Oct 2023 04:26:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697109983; cv=none;
        d=google.com; s=arc-20160816;
        b=DG3BI+BjZrKSb7wYv5W+RNBM9KMze93SQ6nNKvq6L43DiT2qYHcr32ayuvtmGcXKvo
         lM23scee30TS6LkakL1DdvFlUn+zW1x3amrTtPLqNyDHzlwETcvV0ZahE51oWk8pFu8F
         iTYziC28U1JBay66OvbcyEuU8aQv9Bm/w9b7IBxc6X7WDkRi0+KGhhTwMOqnBhbe+C3I
         l72+5y+nKCHsGWfOCoRkmYRyGTV4/6ICVOGMEp6HNHRsUN8JXiI4cHQzqWpzB7TgFQmQ
         qNwUtz7hb5F2yi5upbktZxsUADCxgbdatgY99UEemT6oVU3rCTFvtxkbp1zRtiNa0Eca
         szZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to
         :mime-version:user-agent:date:message-id:from:references:cc:to
         :subject;
        bh=fk8mfek5KDqwa7TOWTM7tdDVh/thWY1MNF7OWwEFfMs=;
        fh=VpyNOTTctF6yfrb2iQ/i1z7H0sn5ohRlKiKtFS7N2IQ=;
        b=w+F86m4I3XbtM/84VqB0AhbOMyBKFlJ2DCvIaA7/kRxGRmZeSH5efEyCiB8gvHjzoy
         xJJrOHOQdH/kVoKYXIsqoOxXayGQ+Hl7RCHVGkPIqOcsEaHfG7t1idNRI5lFp88u+NeZ
         cNeUk1TrCuEOqltokhJSOwNY1xo3z6epyzbP2pS3Xby3V7l1Yoc+MA6d2A0UGVhxQPVL
         FmgNZoRGk4TRoTQePIX3phzBpgQQGPQ+mmgrfTAM7QqgAvdWvgrE8yWWLslfp2fGUeKc
         YzC0insmo3z0PG+pxa21+Kn6wG2eXEwQsHQuNwnwWCt3+2z3S3EPESHQSAllFTwxzJ0m
         ZVTA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from groat.vger.email (groat.vger.email. [23.128.96.35])
        by mx.google.com with ESMTPS id ob13-20020a17090b390d00b002680abd9398si1846056pjb.88.2023.10.12.04.26.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 12 Oct 2023 04:26:23 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by groat.vger.email (Postfix) with ESMTP id 30319812724F;
	Thu, 12 Oct 2023 04:26:21 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1347164AbjJLLZ6 (ORCPT <rfc822;tarbal@gmail.com> + 99 others);
        Thu, 12 Oct 2023 07:25:58 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53504 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1343840AbjJLLZ4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 12 Oct 2023 07:25:56 -0400
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8EA07C0
        for <linux-kernel@vger.kernel.org>; Thu, 12 Oct 2023 04:25:54 -0700 (PDT)
Received: from kwepemm000013.china.huawei.com (unknown [172.30.72.57])
        by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4S5nKH4Q9Qz9tJ0;
        Thu, 12 Oct 2023 19:21:55 +0800 (CST)
Received: from [10.174.178.46] (10.174.178.46) by
 kwepemm000013.china.huawei.com (7.193.23.81) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.31; Thu, 12 Oct 2023 19:25:51 +0800
Subject: Re: [PATCH RFC] ubi: gluebi: Fix NULL pointer dereference caused by
 ftl notifier
To:     ZhaoLong Wang <wangzhaolong1@huawei.com>, <richard@nod.at>,
        <miquel.raynal@bootlin.com>, <vigneshr@ti.com>
CC:     <linux-mtd@lists.infradead.org>, <linux-kernel@vger.kernel.org>,
        <yi.zhang@huawei.com>, <yangerkun@huawei.com>
References: <20231010142925.545238-1-wangzhaolong1@huawei.com>
 <9f96baf1-962e-d595-0e4f-797315cd0348@huawei.com>
 <b972f615-3882-18cf-5b44-7ec021f92e0a@huawei.com>
 <a8a2dc17-7a7a-e725-8ae2-e7e0146150f0@huawei.com>
 <d089e4ff-26dc-22e4-58b3-8756f8ebaabc@huawei.com>
 <2d04fa9e-e594-705c-339b-3090cb7d6fbd@huawei.com>
From:   Zhihao Cheng <chengzhihao1@huawei.com>
Message-ID: <f1b27408-6eae-4195-4c97-c286c4ad04db@huawei.com>
Date:   Thu, 12 Oct 2023 19:25:39 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <2d04fa9e-e594-705c-339b-3090cb7d6fbd@huawei.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.174.178.46]
X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To
 kwepemm000013.china.huawei.com (7.193.23.81)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.1 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Thu, 12 Oct 2023 04:26:21 -0700 (PDT)

在 2023/10/12 17:31, ZhaoLong Wang 写道:
> 
>>>
>>>> 3.         P1                    P2
>>>>     gluebi_create -> mtd_device_register -> add_mtd_device:
>>>>     device_register   // dev/mtd1 is visible
>>>>
>>>>                       fd = open(/dev/mtd1, O_WRONLY)
>>>>                        gluebi_get_device
>>>>                         gluebi->desc = ubi_open_volume
>>>>
>>>>     ftl_add_mtd
>>>>      mtd_read
>>>>       gluebi_read
>>>>        gluebi->desc is not ERR_PTR/NULL
>>>>
>>>>                      close(fd)
>>>>                       gluebi_put_device
>>>>                        ubi_close_volume
>>>>                         kfree(desc)
>>>>        ubi_read(gluebi->desc)   // UAF  (×)
>>>>
>>>
>>> Yes, it's also a problem. Perhaps it should be set to NULL after
>>> destroying gluebi->desc.
>>
>> The key point is that 'gluebi->desc' check & usage is not atomic in 
>> gluebi_read. So following patch still can't handle situation 3.
>>
> 
> Setting the desc to NULL works because
> mutex_lock "mtd_table_mutex" is held on all paths where
> ftl_add_mtd() is called.
> 

Oh, you're right. Just one nit below:


 > @@ -154,9 +159,26 @@ static int gluebi_read(struct mtd_info *mtd, loff_t
 > from, size_t len,
 >                  size_t *retlen, unsigned char *buf)
 >   {
 >       int err = 0, lnum, offs, bytes_left;
 > -    struct gluebi_device *gluebi;
 > +    struct gluebi_device *gluebi = container_of(mtd, struct 
gluebi_device,
 > +                            mtd);
 > +    int isnt_get = unlikely(gluebi->desc == NULL) ? 1 : 0;

This 'unlikey' can be removed.

Rename 'isnt_get' as 'has_desc' ?

 > +    /**
 > +     * In normal case, the UBI volume desc has been initialized by
 > +     * ->_get_device(). However, in the ftl notifier process, the
 > +     * ->_get_device() is not executed in advance and the MTD device
 > +     * is directly scanned  which cause null pointe dereference.
 > +     * Therefore, try to get the MTD device here.
 > +     */
 > +    if (unlikely(isnt_get)) {
 > +        err = __get_mtd_device(mtd);
 > +        if (err) {
 > +            err_msg("cannot get MTD device %d, UBI device %d, volume
 > %d, error %d",
 > +                mtd->index, gluebi->ubi_num, gluebi->vol_id, err);
 > +            return err;
 > +        }
 > +    }