Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp1714774ybg; Sat, 19 Oct 2019 00:56:41 -0700 (PDT) X-Google-Smtp-Source: APXvYqz6VWXps0HccGHHpz/b9+WdE1wx5h9VSJ5QjhrJQUxAk/UckvY0+rrFN+BTRk7KfJk/JiUd X-Received: by 2002:a17:906:5115:: with SMTP id w21mr851908ejk.32.1571471801736; Sat, 19 Oct 2019 00:56:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571471801; cv=none; d=google.com; s=arc-20160816; b=cKkOdz3m4FMsxLhGijevDcJ1qQFNuZyD9X7EQXO2M14TeCWxJI2VUspw7lXWIUJmku MVPrWfvkELef42hxpP/mrZ8Z1sMOcDJRAjYal0mLn5kcItPsIu9Bzh7Y52ITBFXslmdf wLaANaxWsmGqQIVEZ/Q5XUv7gD7JVwLSbfi4hQs3PQuYmlNKAqpfNzzC2FRTQBl2RWPu KiOmR3e0EybjhaVtN05hW10tx5IVlMCqMHKV7nwc/plmpx6t1RbxASA+1iSvTzsT49ar MlB906XNfLCpPoLxKkwaZHKc1KI+JObFe6npAuTJ80I2Y0vea3fyy13JLTiAJgw6q4p7 pmFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=7TCa7SetJUJpSuZ3bWE7kwrGOUTqOKBNbicowE+PQwA=; b=uoAHR9qALB7o5RDBiYKwb8kellDzPM007NgguO0DSciCnVFzx4S9f5dzE3g3ENyKxE nwiQl981fbM5rfvLYGRPKxvMbIITku8RB0EL1KCcJE1wD00Ec0S/NKLljosv44pFIl9R HI8K12zhXb1+cM6/kbfcpam/ocnm8OwPXilTOC26m4M2KxiwIMqu+3XhqbwBgmeHEgwF wPkmQkGmJjQ1vOPC6wqotGcJAnzWmHPwg/BRKzFOPMuutpfz54Py4/lQ/9PIDR8+S2uw /r86I32+4Dfcry4FGb4LdWl6ymT8OeHF4Gy8saNEMPhmrcOhyQ//3N+N0/Rc7xqwBbLX 1K5g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p5si1086596eja.141.2019.10.19.00.56.17; Sat, 19 Oct 2019 00:56:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2442158AbfJRIHA (ORCPT + 99 others); Fri, 18 Oct 2019 04:07:00 -0400 Received: from helcar.hmeau.com ([216.24.177.18]:37420 "EHLO fornost.hmeau.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2442157AbfJRIHA (ORCPT ); Fri, 18 Oct 2019 04:07:00 -0400 Received: from gwarestrin.arnor.me.apana.org.au ([192.168.0.7]) by fornost.hmeau.com with smtp (Exim 4.89 #2 (Debian)) id 1iLNHW-00021C-T6; Fri, 18 Oct 2019 19:06:44 +1100 Received: by gwarestrin.arnor.me.apana.org.au (sSMTP sendmail emulation); Fri, 18 Oct 2019 19:06:42 +1100 Date: Fri, 18 Oct 2019 19:06:42 +1100 From: Herbert Xu To: Laurent Vivier Cc: linux-kernel@vger.kernel.org, Matt Mackall , 'Linux Samsung SOC' , Marek Szyprowski , linux-crypto@vger.kernel.org Subject: Re: [PATCH] hwrng: core - Fix use-after-free warning in hwrng_register() Message-ID: <20191018080642.GN25128@gondor.apana.org.au> References: <20191014114632.10875-1-lvivier@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191014114632.10875-1-lvivier@redhat.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Mon, Oct 14, 2019 at 01:46:32PM +0200, Laurent Vivier wrote: > Commit daae28debcb0 has moved add_early_randomness() out of the > rng_mutex and tries to protect the reference of the new rng device > by incrementing the reference counter. > > But in hwrng_register(), the function can be called with a new device > that is not set as the current_rng device and the reference has not been > initialized. This patch fixes the problem by not using the reference > counter when the device is not the current one: the reference counter > is only meaningful in the case of the current rng device and a device > is not used if it is not the current one (except in hwrng_register()) > > The problem has been reported by Marek Szyprowski on ARM 32bit > Exynos5420-based Chromebook Peach-Pit board: > > WARNING: CPU: 3 PID: 1 at lib/refcount.c:156 hwrng_register+0x13c/0x1b4 > refcount_t: increment on 0; use-after-free. > Modules linked in: > CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.4.0-rc1-00061-gdaae28debcb0 > Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) > [] (unwind_backtrace) from [] (show_stack+0x10/0x14) > [] (show_stack) from [] (dump_stack+0xa8/0xd4) > [] (dump_stack) from [] (__warn+0xf4/0x10c) > [] (__warn) from [] (warn_slowpath_fmt+0x74/0xb8) > [] (warn_slowpath_fmt) from [] (hwrng_register+0x13c/0x1b4) > [] (hwrng_register) from [] (tpm_chip_register+0xc4/0x274) > ... > > Reported-by: Marek Szyprowski > Fixes: daae28debcb0 ("hwrng: core - move add_early_randomness() out of rng_mutex") > Tested-by: Marek Szyprowski > Signed-off-by: Laurent Vivier > --- > drivers/char/hw_random/core.c | 33 ++++++++++++++++----------------- > 1 file changed, 16 insertions(+), 17 deletions(-) Patch applied. Thanks. -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt