From: Kees Cook <keescook@chromium.org>
To: Sven Van Asbroeck <thesven73@gmail.com>
Cc: Tejun Heo <tj@kernel.org>, Lai Jiangshan <jiangshanlai@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
Sebastian Reichel <sre@kernel.org>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>
Subject: Re: [RFC v1 0/3] Address potential user-after-free on module unload
Date: Tue, 5 Feb 2019 14:57:11 +0000 [thread overview]
Message-ID: <CAGXu5jJ0g1FUd3mX=RkJCN=BazaWWybAuapvjngpLcWtz3FQGw@mail.gmail.com> (raw)
In-Reply-To: <20190204220952.30761-1-TheSven73@googlemail.com>
On Mon, Feb 4, 2019 at 10:09 PM Sven Van Asbroeck <thesven73@gmail.com> wrote:
>
> I think there _might_ be potential use-after-free issues on module unload.
>
> They are hard to trigger, but I think I've seen them bring the whole
> kernel down when they do occur. Can be triggered by doing an insmod of
> a vulnerable module, rapidly followed by an rmmod.
>
> Caused by drivers which schedule work / delayed_work, but do not clean it up
> properly on module unload. Which means the work function could run _after_
> the module has unloaded.
>
> A quick grep through the kernel sources brings up many instances.
> I leave it to people more knowledgeable than me to determine if this problem
> is likely to happen, and/or if it can be exploited to become a security risk.
>
> Perhaps developers can be 'nudged' into doing the right thing by using
> resource-managed versions of INIT_WORK() / INIT_DELAYED_WORK(), which may
> address the issue quite elegantly.
Can a Coccinelle script get written to find module-use of the non-devm
work init?
It seems like finding these in __init functions should be relatively
easy? (Or can we add runtime detection in the existing INIT_*WORK()
code to see if it is running from the wrong place?)
-Kees
>
> Attached is a proposal patch, followed by sample fixes for two vulnerable
> modules. As far as I can tell, many more modules are vulnerable.
>
> Sven Van Asbroeck (3):
> workqueue: Add resource-managed version of INIT_[DELAYED_]WORK()
> max17042_battery: fix potential user-after-free on module unload
> cap11xx: fix potential user-after-free on module unload
>
> drivers/input/keyboard/cap11xx.c | 6 ++-
> drivers/power/supply/max17042_battery.c | 5 ++-
> include/linux/workqueue.h | 7 ++++
> kernel/workqueue.c | 54 +++++++++++++++++++++++++
> 4 files changed, 70 insertions(+), 2 deletions(-)
>
> --
> 2.17.1
>
--
Kees Cook
next prev parent reply other threads:[~2019-02-05 14:57 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-04 22:09 [RFC v1 0/3] Address potential user-after-free on module unload Sven Van Asbroeck
2019-02-04 22:09 ` [RFC v1 1/3] workqueue: Add resource-managed version of INIT_[DELAYED_]WORK() Sven Van Asbroeck
2019-02-08 17:06 ` Tejun Heo
2019-02-08 18:15 ` Sven Van Asbroeck
2019-02-04 22:09 ` [RFC v1 2/3] max17042_battery: fix potential user-after-free on module unload Sven Van Asbroeck
2019-02-05 8:27 ` Dmitry Torokhov
2019-02-05 14:27 ` Sven Van Asbroeck
2019-02-05 17:21 ` Sebastian Reichel
2019-02-04 22:09 ` [RFC v1 3/3] cap11xx: " Sven Van Asbroeck
2019-02-05 8:18 ` Dmitry Torokhov
2019-02-05 8:34 ` Dmitry Torokhov
2019-02-05 21:24 ` Jacek Anaszewski
2019-02-05 21:43 ` Dmitry Torokhov
2019-02-05 22:03 ` Sven Van Asbroeck
2019-02-05 14:57 ` Kees Cook [this message]
2019-02-05 15:22 ` [RFC v1 0/3] Address " Sven Van Asbroeck
2019-02-05 18:43 ` Greg KH
2019-02-05 19:12 ` Sven Van Asbroeck
2019-02-06 16:46 ` Greg KH
2019-02-06 17:30 ` Dmitry Torokhov
2019-02-06 17:49 ` Sven Van Asbroeck
2019-02-08 6:51 ` Greg KH
2019-02-05 18:42 ` Greg KH
2019-02-07 21:49 ` Sven Van Asbroeck
2019-02-07 22:20 ` Dmitry Torokhov
2019-02-07 22:27 ` Sven Van Asbroeck
2019-02-07 22:32 ` Sven Van Asbroeck
2019-02-07 22:48 ` Dmitry Torokhov
2019-02-08 4:30 ` Miguel Ojeda
2019-02-10 18:05 ` Sven Van Asbroeck
2019-02-14 1:11 ` Miguel Ojeda
2019-02-14 15:23 ` Sven Van Asbroeck
[not found] ` <CAGngYiXcogd69n-MvBD1n5ZJpBzqCau8UOfLMgXEXLnAev=srw@mail.gmail.com>
[not found] ` <alpine.DEB.2.21.1902080745480.4201@hadrien>
2019-02-14 17:52 ` Fwd: " Sven Van Asbroeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5jJ0g1FUd3mX=RkJCN=BazaWWybAuapvjngpLcWtz3FQGw@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=dmitry.torokhov@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=jiangshanlai@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sre@kernel.org \
--cc=thesven73@gmail.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.