Re: [External] Re: [PATCH] driver core: Fix possible use after free on name

From: åçæ
Date: Mon Apr 06 2020 - 07:04:59 EST

Next message: Mark Brown: "Re: [PATCH v3 1/3] dt-bindings: sound: convert rockchip spdif bindings to yaml"
Previous message: Peter Zijlstra: "Re: [RESEND][PATCH v3 09/17] x86/static_call: Add out-of-line static call implementation"
In reply to: Greg KH: "Re: [External] Re: [PATCH] driver core: Fix possible use after free on name"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi PengfeiZhang,

Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> ä2020å4æ6æåä äå12:40åéï
>
> On Sun, Apr 05, 2020 at 09:05:49AM -0700, zhangfeionline@xxxxxxxxx wrote:
> > From: PengfeiZhang <zhangfeionline@xxxxxxxxx>
> >
> > __class_create() copies the pointer to the name passed as an
> > argument only to be used later. But there's a chance the caller
> > could immediately free the passed string(e.g., local variable).
> > This could trigger a use after free when we use class name(e.g.,
> > dev_uevent_name()called by device_destroy(),class_create_release()).
> >
> > To be on the safe side: duplicate the string with kstrdup_const()
> > so that if an unaware user passes an address to a stack-allocated
> > buffer, we won't get the arbitrary name and crash.
>
> Where are you seeing this happen?
>
> >
> > Signed-off-by: PengfeiZhang <zhangfeionline@xxxxxxxxx>
> > ---
> > drivers/base/class.c | 17 +++++++++++++++--
> > 1 file changed, 15 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/base/class.c b/drivers/base/class.c
> > index bcd410e..770b3b3 100644
> > --- a/drivers/base/class.c
> > +++ b/drivers/base/class.c
> > @@ -206,6 +206,7 @@ void class_unregister(struct class *cls)
> > static void class_create_release(struct class *cls)
> > {
> > pr_debug("%s called for %s\n", __func__, cls->name);
> > + kfree_const(cls->name);
> > kfree(cls);
> > }
> >
> > @@ -227,7 +228,10 @@ struct class *__class_create(struct module *owner, const char *name,
> > struct lock_class_key *key)
> > {
> > struct class *cls;
> > - int retval;
> > + int retval = -EINVAL;
> > +
> > + if (!name)
> > + goto done;
>
> This is a new change, who calls this function with name not being set?
>
>
> >
> > cls = kzalloc(sizeof(*cls), GFP_KERNEL);
> > if (!cls) {
> > @@ -235,18 +239,27 @@ struct class *__class_create(struct module *owner, const char *name,
> > goto error;
> > }
> >
> > + name = kstrdup_const(name, GFP_KERNEL);
> > + if (!name) {
> > + retval = -ENOMEM;
> > + goto error;
> > + }
>
> and overwriting the pointer like that is bad-form, try doing something
> else here instead.
>
> > +
> > cls->name = name;
> > cls->owner = owner;
> > cls->class_release = class_create_release;
> >
> > retval = __class_register(cls, key);
> > if (retval)
> > - goto error;
> > + goto error_class_register;
> >
> > return cls;
> >
> > +error_class_register:
> > + kfree(cls->name);
>
> kfree_const()?
>
> thanks,
>
> greg k-h

Yeah, you have some problem with this fix patch which Greg mentioned.
Can you fix it? And
send the fix patch v2 to Greg?

--
Yours,
Muchun

Next message: Mark Brown: "Re: [PATCH v3 1/3] dt-bindings: sound: convert rockchip spdif bindings to yaml"
Previous message: Peter Zijlstra: "Re: [RESEND][PATCH v3 09/17] x86/static_call: Add out-of-line static call implementation"
In reply to: Greg KH: "Re: [External] Re: [PATCH] driver core: Fix possible use after free on name"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]