From: Phil Elwell <phil@raspberrypi.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: devel@driverdev.osuosl.org, Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
bcm-kernel-feedback-list@broadcom.com,
Nicolas Saenz Julienne <nsaenzjulienne@suse.de>,
linux-arm-kernel@lists.infradead.org,
linux-rpi-kernel@lists.infradead.org
Subject: Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling
Date: Mon, 4 Jan 2021 19:26:42 +0000 [thread overview]
Message-ID: <989ef44f-2afe-5147-1277-74df56797a4c@raspberrypi.com> (raw)
In-Reply-To: <20210104183134.GV2809@kadam>
On 04/01/2021 18:31, Dan Carpenter wrote:
> On Mon, Jan 04, 2021 at 12:09:27PM +0000, Phil Elwell wrote:
>> The addition of the local 'userdata' pointer to
>> vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor
>> WAITING modes are used, in which case the value provided by the
>> caller is replaced with a NULL.
>>
>> Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations")
>>
>> Signed-off-by: Phil Elwell <phil@raspberrypi.com>
>> ---
>> drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
>> index f500a7043805..2a8883673ba1 100644
>> --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
>> +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
>> @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance,
>> struct vchiq_service *service;
>> struct bulk_waiter_node *waiter = NULL;
>> bool found = false;
>> - void *userdata = NULL;
>> + void *userdata;
>> int status = 0;
>> int ret;
>>
>> @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance,
>> "found bulk_waiter %pK for pid %d", waiter,
>> current->pid);
>> userdata = &waiter->bulk_waiter;
>> + } else {
>> + userdata = args->userdata;
>
> "args->userdata" is marked as a user pointer so we really don't want to
> mix user and kernel pointers here. Presumably this opens up a large
> security hole.
It's an opaque, pointer-sized token that only exists to bereturned to userspace (or not,
without this patch) - it's hard to see that as a security hole.
Phil
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
WARNING: multiple messages have this Message-ID (diff)
From: Phil Elwell <phil@raspberrypi.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: devel@driverdev.osuosl.org, Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
bcm-kernel-feedback-list@broadcom.com,
Nicolas Saenz Julienne <nsaenzjulienne@suse.de>,
linux-arm-kernel@lists.infradead.org,
linux-rpi-kernel@lists.infradead.org
Subject: Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling
Date: Mon, 4 Jan 2021 19:26:42 +0000 [thread overview]
Message-ID: <989ef44f-2afe-5147-1277-74df56797a4c@raspberrypi.com> (raw)
In-Reply-To: <20210104183134.GV2809@kadam>
On 04/01/2021 18:31, Dan Carpenter wrote:
> On Mon, Jan 04, 2021 at 12:09:27PM +0000, Phil Elwell wrote:
>> The addition of the local 'userdata' pointer to
>> vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor
>> WAITING modes are used, in which case the value provided by the
>> caller is replaced with a NULL.
>>
>> Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations")
>>
>> Signed-off-by: Phil Elwell <phil@raspberrypi.com>
>> ---
>> drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
>> index f500a7043805..2a8883673ba1 100644
>> --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
>> +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
>> @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance,
>> struct vchiq_service *service;
>> struct bulk_waiter_node *waiter = NULL;
>> bool found = false;
>> - void *userdata = NULL;
>> + void *userdata;
>> int status = 0;
>> int ret;
>>
>> @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance,
>> "found bulk_waiter %pK for pid %d", waiter,
>> current->pid);
>> userdata = &waiter->bulk_waiter;
>> + } else {
>> + userdata = args->userdata;
>
> "args->userdata" is marked as a user pointer so we really don't want to
> mix user and kernel pointers here. Presumably this opens up a large
> security hole.
It's an opaque, pointer-sized token that only exists to bereturned to userspace (or not,
without this patch) - it's hard to see that as a security hole.
Phil
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-01-04 19:34 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-04 12:09 [PATCH 0/2] A brace of vchiq bulk transfer fixes Phil Elwell
2021-01-04 12:09 ` Phil Elwell
2021-01-04 12:09 ` [PATCH 1/2] staging: vchiq: Fix bulk userdata handling Phil Elwell
2021-01-04 12:09 ` Phil Elwell
2021-01-04 17:37 ` Stefan Wahren
2021-01-04 17:37 ` Stefan Wahren
2021-01-04 18:31 ` Dan Carpenter
2021-01-04 18:31 ` Dan Carpenter
2021-01-04 19:26 ` Phil Elwell [this message]
2021-01-04 19:26 ` Phil Elwell
2021-01-05 11:01 ` Dan Carpenter
2021-01-05 11:01 ` Dan Carpenter
2021-01-05 11:53 ` Phil Elwell
2021-01-05 11:53 ` Phil Elwell
2021-01-05 13:22 ` Dan Carpenter
2021-01-05 13:22 ` Dan Carpenter
2021-01-05 15:13 ` Arnd Bergmann
2021-01-05 15:13 ` Arnd Bergmann
2021-01-04 12:09 ` [PATCH 2/2] staging: vchiq: Fix bulk transfers on 64-bit builds Phil Elwell
2021-01-04 12:09 ` Phil Elwell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=989ef44f-2afe-5147-1277-74df56797a4c@raspberrypi.com \
--to=phil@raspberrypi.com \
--cc=arnd@arndb.de \
--cc=bcm-kernel-feedback-list@broadcom.com \
--cc=dan.carpenter@oracle.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-rpi-kernel@lists.infradead.org \
--cc=nsaenzjulienne@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.