Re: [RFC v1 0/3] Address potential user-after-free on module unload

From: Sven Van Asbroeck
Date: Tue Feb 05 2019 - 10:23:04 EST


On Tue, Feb 5, 2019 at 9:57 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
>
> Can a Coccinelle script get written to find module-use of the non-devm
> work init?

My thoughts exactly ! But sadly I'm not a Coccinelle expert. I did
look briefly at
its syntax, but I didn't immediately "get" how Cocci could find this class of
errors, without a huge false positive rate (which would make it worse than
useless).

>
> It seems like finding these in __init functions should be relatively
> easy? (Or can we add runtime detection in the existing INIT_*WORK()
> code to see if it is running from the wrong place?)
>

IMHO the problem isn't that they're called from __init functions.
Also, nothing is
wrong with the location of INIT_*WORK per se.

The real problem is that developers overlook calling cancel_work_sync()
on unload. I'm not sure how we could bolt on runtime detection to catch
a *missing* function. Again, without causing tons of false positives.