From: Eli Billauer <eli.billauer@gmail.com>
To: Hyunwoo Kim <imv4bel@gmail.com>
Cc: linux-kernel@vger.kernel.org, arnd@arndb.de, gregkh@linuxfoundation.org
Subject: Re: [PATCH] char: xillybus: Fix use-after-free in xillyusb_open()
Date: Sun, 23 Oct 2022 17:19:40 +0300 [thread overview]
Message-ID: <9674abb2-b40c-3862-5272-58b643dc91e1@gmail.com> (raw)
In-Reply-To: <20221022175404.GA375335@ubuntu>
Hello, Hyunwoo.
> A race condition may occur if the user physically removes
> the USB device while calling open() for this device node.
>
> This is a race condition between the xillyusb_open() function and
> the xillyusb_disconnect() function, which may eventually result in UAF.
Thanks a lot for pointing that out. In fact, this reveals two problems
in the existing code:
(1) unit->private_data is accessed after the mutex has been released in
xillybus_find_inode(), so there's no guarantee that it will be valid.
This is what the test caught. This can however be fixed just by moving
the release of the lock a few rows down.
(2) xillyusb_open() accesses @xdev without ensuring that it won't get freed.
Both of these two issues have a negligible probability of causing a
visible problem, but this must be fixed, of course.
>
> So, add a mutex to the xillyusb_open() and xillyusb_disconnect()
> functions to avoid race contidion.
I'm not very fond of this solution, partially because this mutex
protects code and not data (There's this "Lock data, not code" rule, see
[1]). Also, xillyusb_disconnect() can take a significant time to run,
during which xillybus_open() for another (unrelated and still connected)
XillyUSB device has to wait. I guess this demonstrates why protecting
code with a mutex is considered bad practice.
Besides, there are already three mechanisms in place for preventing
premature release of memory:
(1) @unit_mutex in xillybus_class.c, which protects @unit_list.
(2) @kref inside struct xillyusb_dev (xillyusb.c), which protects the
structure it resides in.
(3) @error inside struct xillyusb_dev, which prevents xillybus_open()
from opening a file that belongs to a device that is about to be released.
It's now apparent that they're not working well enough. Rather than
adding another mutex, the existing mechanisms should be fixed. Would
you like to do this, or should I?
Thanks again,
Eli
[1] Documentation/kernel-hacking/locking.rst in the kernel tree
next prev parent reply other threads:[~2022-10-23 14:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-22 17:54 [PATCH] char: xillybus: Fix use-after-free in xillyusb_open() Hyunwoo Kim
2022-10-23 14:19 ` Eli Billauer [this message]
2022-10-23 14:26 ` Hyunwoo Kim
2022-10-24 7:10 ` Eli Billauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9674abb2-b40c-3862-5272-58b643dc91e1@gmail.com \
--to=eli.billauer@gmail.com \
--cc=arnd@arndb.de \
--cc=gregkh@linuxfoundation.org \
--cc=imv4bel@gmail.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.