* Re: UAF in moxart_remove [not found] <CAF6NKdZ6FOhJAXkFMgcr-+UcnfxoDc_p69nFxABHu+7b=FW36A@mail.gmail.com> @ 2022-01-11 8:35 ` Marcus Meissner 2022-01-11 12:10 ` Greg KH 0 siblings, 1 reply; 4+ messages in thread From: Marcus Meissner @ 2022-01-11 8:35 UTC (permalink / raw) To: whitehat002 whitehat002, security, linux-mmc, ulf.hansson, xiyuyang19, tony, yang.lee, colin.king, xiongx18 Cc: security Hi whitehat002, SUSE currently does not build the moxart driver, let me defer you to security@kernel.org and the MMC maintainers. i also opened a bug in our bugzilla just for tracking https://bugzilla.suse.com/show_bug.cgi?id=1194516 Ciao, Marcus On Tue, Jan 11, 2022 at 02:30:32PM +0800, whitehat002 whitehat002 wrote: > Hello suse security team, > > There is a UAF in drivers/mmc/host/moxart-mmc.c > This is similar with > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42933c8aa14be1caa9eda41f65cde8a3a95d3e39 > > > > static int moxart_remove(struct platform_device *pdev) > { > struct mmc_host *mmc = dev_get_drvdata(&pdev->dev); > struct moxart_host *host = mmc_priv(mmc); > > dev_set_drvdata(&pdev->dev, NULL); > > if (!IS_ERR_OR_NULL(host->dma_chan_tx)) > dma_release_channel(host->dma_chan_tx); > if (!IS_ERR_OR_NULL(host->dma_chan_rx)) > dma_release_channel(host->dma_chan_rx); > mmc_remove_host(mmc); > mmc_free_host(mmc); //[0] free > > writel(0, host->base + REG_INTERRUPT_MASK); //[1] host is private data from > mmc_host UAF > writel(0, host->base + REG_POWER_CONTROL); > writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF, > host->base + REG_CLOCK_CONTROL); > > return 0; > } > > > > static inline void *mmc_priv(struct mmc_host *host) > { > return (void *)host->private; > } > > > Credit information > Zhihua Yao of KunLun Lab ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: UAF in moxart_remove 2022-01-11 8:35 ` UAF in moxart_remove Marcus Meissner @ 2022-01-11 12:10 ` Greg KH 2022-01-11 12:35 ` Greg KH 0 siblings, 1 reply; 4+ messages in thread From: Greg KH @ 2022-01-11 12:10 UTC (permalink / raw) To: Marcus Meissner Cc: whitehat002 whitehat002, security, linux-mmc, ulf.hansson, xiyuyang19, tony, yang.lee, colin.king, xiongx18, security On Tue, Jan 11, 2022 at 09:35:11AM +0100, Marcus Meissner wrote: > Hi whitehat002, > > SUSE currently does not build the moxart driver, let me defer you to > security@kernel.org and the MMC maintainers. > > i also opened a bug in our bugzilla just for tracking > https://bugzilla.suse.com/show_bug.cgi?id=1194516 > > Ciao, Marcus > On Tue, Jan 11, 2022 at 02:30:32PM +0800, whitehat002 whitehat002 wrote: > > Hello suse security team, > > > > There is a UAF in drivers/mmc/host/moxart-mmc.c > > This is similar with > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42933c8aa14be1caa9eda41f65cde8a3a95d3e39 > > > > > > > > static int moxart_remove(struct platform_device *pdev) > > { > > struct mmc_host *mmc = dev_get_drvdata(&pdev->dev); > > struct moxart_host *host = mmc_priv(mmc); > > > > dev_set_drvdata(&pdev->dev, NULL); > > > > if (!IS_ERR_OR_NULL(host->dma_chan_tx)) > > dma_release_channel(host->dma_chan_tx); > > if (!IS_ERR_OR_NULL(host->dma_chan_rx)) > > dma_release_channel(host->dma_chan_rx); > > mmc_remove_host(mmc); > > mmc_free_host(mmc); //[0] free > > > > writel(0, host->base + REG_INTERRUPT_MASK); //[1] host is private data from > > mmc_host UAF > > writel(0, host->base + REG_POWER_CONTROL); > > writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF, > > host->base + REG_CLOCK_CONTROL); > > > > return 0; > > } > > Can you write a patch to fix this so that you can get proper credit for fixing it as well as finding it? thanks, greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: UAF in moxart_remove 2022-01-11 12:10 ` Greg KH @ 2022-01-11 12:35 ` Greg KH 2022-01-14 8:02 ` Greg KH 0 siblings, 1 reply; 4+ messages in thread From: Greg KH @ 2022-01-11 12:35 UTC (permalink / raw) To: Marcus Meissner, whitehat002 whitehat002, security, linux-mmc, ulf.hansson, xiyuyang19, tony, yang.lee, colin.king, xiongx18, security On Tue, Jan 11, 2022 at 01:10:51PM +0100, Greg KH wrote: > On Tue, Jan 11, 2022 at 09:35:11AM +0100, Marcus Meissner wrote: > > Hi whitehat002, > > > > SUSE currently does not build the moxart driver, let me defer you to > > security@kernel.org and the MMC maintainers. > > > > i also opened a bug in our bugzilla just for tracking > > https://bugzilla.suse.com/show_bug.cgi?id=1194516 > > > > Ciao, Marcus > > On Tue, Jan 11, 2022 at 02:30:32PM +0800, whitehat002 whitehat002 wrote: > > > Hello suse security team, > > > > > > There is a UAF in drivers/mmc/host/moxart-mmc.c > > > This is similar with > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42933c8aa14be1caa9eda41f65cde8a3a95d3e39 > > > > > > > > > > > > static int moxart_remove(struct platform_device *pdev) > > > { > > > struct mmc_host *mmc = dev_get_drvdata(&pdev->dev); > > > struct moxart_host *host = mmc_priv(mmc); > > > > > > dev_set_drvdata(&pdev->dev, NULL); > > > > > > if (!IS_ERR_OR_NULL(host->dma_chan_tx)) > > > dma_release_channel(host->dma_chan_tx); > > > if (!IS_ERR_OR_NULL(host->dma_chan_rx)) > > > dma_release_channel(host->dma_chan_rx); > > > mmc_remove_host(mmc); > > > mmc_free_host(mmc); //[0] free > > > > > > writel(0, host->base + REG_INTERRUPT_MASK); //[1] host is private data from > > > mmc_host UAF > > > writel(0, host->base + REG_POWER_CONTROL); > > > writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF, > > > host->base + REG_CLOCK_CONTROL); > > > > > > return 0; > > > } > > > > > Can you write a patch to fix this so that you can get proper credit for > fixing it as well as finding it? Here's a untested patch that "should" be correct, can someone test it please? thanks, greg k-h diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c index 16d1c7a43d33..fe05ae81afd9 100644 --- a/drivers/mmc/host/moxart-mmc.c +++ b/drivers/mmc/host/moxart-mmc.c @@ -704,14 +704,14 @@ static int moxart_remove(struct platform_device *pdev) dma_release_channel(host->dma_chan_tx); if (!IS_ERR_OR_NULL(host->dma_chan_rx)) dma_release_channel(host->dma_chan_rx); - mmc_remove_host(mmc); - mmc_free_host(mmc); - writel(0, host->base + REG_INTERRUPT_MASK); writel(0, host->base + REG_POWER_CONTROL); writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF, host->base + REG_CLOCK_CONTROL); + mmc_remove_host(mmc); + mmc_free_host(mmc); + return 0; } ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: UAF in moxart_remove 2022-01-11 12:35 ` Greg KH @ 2022-01-14 8:02 ` Greg KH 0 siblings, 0 replies; 4+ messages in thread From: Greg KH @ 2022-01-14 8:02 UTC (permalink / raw) To: Marcus Meissner, whitehat002 whitehat002, security, linux-mmc, ulf.hansson, xiyuyang19, tony, yang.lee, colin.king, xiongx18, security On Tue, Jan 11, 2022 at 01:35:19PM +0100, Greg KH wrote: > On Tue, Jan 11, 2022 at 01:10:51PM +0100, Greg KH wrote: > > On Tue, Jan 11, 2022 at 09:35:11AM +0100, Marcus Meissner wrote: > > > Hi whitehat002, > > > > > > SUSE currently does not build the moxart driver, let me defer you to > > > security@kernel.org and the MMC maintainers. > > > > > > i also opened a bug in our bugzilla just for tracking > > > https://bugzilla.suse.com/show_bug.cgi?id=1194516 > > > > > > Ciao, Marcus > > > On Tue, Jan 11, 2022 at 02:30:32PM +0800, whitehat002 whitehat002 wrote: > > > > Hello suse security team, > > > > > > > > There is a UAF in drivers/mmc/host/moxart-mmc.c > > > > This is similar with > > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42933c8aa14be1caa9eda41f65cde8a3a95d3e39 > > > > > > > > > > > > > > > > static int moxart_remove(struct platform_device *pdev) > > > > { > > > > struct mmc_host *mmc = dev_get_drvdata(&pdev->dev); > > > > struct moxart_host *host = mmc_priv(mmc); > > > > > > > > dev_set_drvdata(&pdev->dev, NULL); > > > > > > > > if (!IS_ERR_OR_NULL(host->dma_chan_tx)) > > > > dma_release_channel(host->dma_chan_tx); > > > > if (!IS_ERR_OR_NULL(host->dma_chan_rx)) > > > > dma_release_channel(host->dma_chan_rx); > > > > mmc_remove_host(mmc); > > > > mmc_free_host(mmc); //[0] free > > > > > > > > writel(0, host->base + REG_INTERRUPT_MASK); //[1] host is private data from > > > > mmc_host UAF > > > > writel(0, host->base + REG_POWER_CONTROL); > > > > writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF, > > > > host->base + REG_CLOCK_CONTROL); > > > > > > > > return 0; > > > > } > > > > > > > > Can you write a patch to fix this so that you can get proper credit for > > fixing it as well as finding it? > > Here's a untested patch that "should" be correct, can someone test it > please? > > thanks, > > greg k-h > > > diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c > index 16d1c7a43d33..fe05ae81afd9 100644 > --- a/drivers/mmc/host/moxart-mmc.c > +++ b/drivers/mmc/host/moxart-mmc.c > @@ -704,14 +704,14 @@ static int moxart_remove(struct platform_device *pdev) > dma_release_channel(host->dma_chan_tx); > if (!IS_ERR_OR_NULL(host->dma_chan_rx)) > dma_release_channel(host->dma_chan_rx); > - mmc_remove_host(mmc); > - mmc_free_host(mmc); > - > writel(0, host->base + REG_INTERRUPT_MASK); > writel(0, host->base + REG_POWER_CONTROL); > writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF, > host->base + REG_CLOCK_CONTROL); > > + mmc_remove_host(mmc); > + mmc_free_host(mmc); > + > return 0; > } > I've sent a "better" version of this patch upstream for inclusion now: https://lore.kernel.org/all/20220114075934.302464-1-gregkh@linuxfoundation.org/ As this path can only be hit if you have root privileges to unload the module, it's not really that much of a "security" issue. thanks, greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-01-14 8:02 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CAF6NKdZ6FOhJAXkFMgcr-+UcnfxoDc_p69nFxABHu+7b=FW36A@mail.gmail.com>
2022-01-11 8:35 ` UAF in moxart_remove Marcus Meissner
2022-01-11 12:10 ` Greg KH
2022-01-11 12:35 ` Greg KH
2022-01-14 8:02 ` Greg KH
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.