* Re: UAF in moxart_remove
[not found] <CAF6NKdZ6FOhJAXkFMgcr-+UcnfxoDc_p69nFxABHu+7b=FW36A@mail.gmail.com>
@ 2022-01-11 8:35 ` Marcus Meissner
2022-01-11 12:10 ` Greg KH
0 siblings, 1 reply; 4+ messages in thread
From: Marcus Meissner @ 2022-01-11 8:35 UTC (permalink / raw)
To: whitehat002 whitehat002, security, linux-mmc, ulf.hansson,
xiyuyang19, tony, yang.lee, colin.king, xiongx18
Cc: security
Hi whitehat002,
SUSE currently does not build the moxart driver, let me defer you to
security@kernel.org and the MMC maintainers.
i also opened a bug in our bugzilla just for tracking
https://bugzilla.suse.com/show_bug.cgi?id=1194516
Ciao, Marcus
On Tue, Jan 11, 2022 at 02:30:32PM +0800, whitehat002 whitehat002 wrote:
> Hello suse security team,
>
> There is a UAF in drivers/mmc/host/moxart-mmc.c
> This is similar with
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42933c8aa14be1caa9eda41f65cde8a3a95d3e39
>
>
>
> static int moxart_remove(struct platform_device *pdev)
> {
> struct mmc_host *mmc = dev_get_drvdata(&pdev->dev);
> struct moxart_host *host = mmc_priv(mmc);
>
> dev_set_drvdata(&pdev->dev, NULL);
>
> if (!IS_ERR_OR_NULL(host->dma_chan_tx))
> dma_release_channel(host->dma_chan_tx);
> if (!IS_ERR_OR_NULL(host->dma_chan_rx))
> dma_release_channel(host->dma_chan_rx);
> mmc_remove_host(mmc);
> mmc_free_host(mmc); //[0] free
>
> writel(0, host->base + REG_INTERRUPT_MASK); //[1] host is private data from
> mmc_host UAF
> writel(0, host->base + REG_POWER_CONTROL);
> writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF,
> host->base + REG_CLOCK_CONTROL);
>
> return 0;
> }
>
>
>
> static inline void *mmc_priv(struct mmc_host *host)
> {
> return (void *)host->private;
> }
>
>
> Credit information
> Zhihua Yao of KunLun Lab
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: UAF in moxart_remove
2022-01-11 8:35 ` UAF in moxart_remove Marcus Meissner
@ 2022-01-11 12:10 ` Greg KH
2022-01-11 12:35 ` Greg KH
0 siblings, 1 reply; 4+ messages in thread
From: Greg KH @ 2022-01-11 12:10 UTC (permalink / raw)
To: Marcus Meissner
Cc: whitehat002 whitehat002, security, linux-mmc, ulf.hansson,
xiyuyang19, tony, yang.lee, colin.king, xiongx18, security
On Tue, Jan 11, 2022 at 09:35:11AM +0100, Marcus Meissner wrote:
> Hi whitehat002,
>
> SUSE currently does not build the moxart driver, let me defer you to
> security@kernel.org and the MMC maintainers.
>
> i also opened a bug in our bugzilla just for tracking
> https://bugzilla.suse.com/show_bug.cgi?id=1194516
>
> Ciao, Marcus
> On Tue, Jan 11, 2022 at 02:30:32PM +0800, whitehat002 whitehat002 wrote:
> > Hello suse security team,
> >
> > There is a UAF in drivers/mmc/host/moxart-mmc.c
> > This is similar with
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42933c8aa14be1caa9eda41f65cde8a3a95d3e39
> >
> >
> >
> > static int moxart_remove(struct platform_device *pdev)
> > {
> > struct mmc_host *mmc = dev_get_drvdata(&pdev->dev);
> > struct moxart_host *host = mmc_priv(mmc);
> >
> > dev_set_drvdata(&pdev->dev, NULL);
> >
> > if (!IS_ERR_OR_NULL(host->dma_chan_tx))
> > dma_release_channel(host->dma_chan_tx);
> > if (!IS_ERR_OR_NULL(host->dma_chan_rx))
> > dma_release_channel(host->dma_chan_rx);
> > mmc_remove_host(mmc);
> > mmc_free_host(mmc); //[0] free
> >
> > writel(0, host->base + REG_INTERRUPT_MASK); //[1] host is private data from
> > mmc_host UAF
> > writel(0, host->base + REG_POWER_CONTROL);
> > writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF,
> > host->base + REG_CLOCK_CONTROL);
> >
> > return 0;
> > }
> >
Can you write a patch to fix this so that you can get proper credit for
fixing it as well as finding it?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: UAF in moxart_remove
2022-01-11 12:10 ` Greg KH
@ 2022-01-11 12:35 ` Greg KH
2022-01-14 8:02 ` Greg KH
0 siblings, 1 reply; 4+ messages in thread
From: Greg KH @ 2022-01-11 12:35 UTC (permalink / raw)
To: Marcus Meissner, whitehat002 whitehat002, security, linux-mmc,
ulf.hansson, xiyuyang19, tony, yang.lee, colin.king, xiongx18,
security
On Tue, Jan 11, 2022 at 01:10:51PM +0100, Greg KH wrote:
> On Tue, Jan 11, 2022 at 09:35:11AM +0100, Marcus Meissner wrote:
> > Hi whitehat002,
> >
> > SUSE currently does not build the moxart driver, let me defer you to
> > security@kernel.org and the MMC maintainers.
> >
> > i also opened a bug in our bugzilla just for tracking
> > https://bugzilla.suse.com/show_bug.cgi?id=1194516
> >
> > Ciao, Marcus
> > On Tue, Jan 11, 2022 at 02:30:32PM +0800, whitehat002 whitehat002 wrote:
> > > Hello suse security team,
> > >
> > > There is a UAF in drivers/mmc/host/moxart-mmc.c
> > > This is similar with
> > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42933c8aa14be1caa9eda41f65cde8a3a95d3e39
> > >
> > >
> > >
> > > static int moxart_remove(struct platform_device *pdev)
> > > {
> > > struct mmc_host *mmc = dev_get_drvdata(&pdev->dev);
> > > struct moxart_host *host = mmc_priv(mmc);
> > >
> > > dev_set_drvdata(&pdev->dev, NULL);
> > >
> > > if (!IS_ERR_OR_NULL(host->dma_chan_tx))
> > > dma_release_channel(host->dma_chan_tx);
> > > if (!IS_ERR_OR_NULL(host->dma_chan_rx))
> > > dma_release_channel(host->dma_chan_rx);
> > > mmc_remove_host(mmc);
> > > mmc_free_host(mmc); //[0] free
> > >
> > > writel(0, host->base + REG_INTERRUPT_MASK); //[1] host is private data from
> > > mmc_host UAF
> > > writel(0, host->base + REG_POWER_CONTROL);
> > > writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF,
> > > host->base + REG_CLOCK_CONTROL);
> > >
> > > return 0;
> > > }
> > >
>
> Can you write a patch to fix this so that you can get proper credit for
> fixing it as well as finding it?
Here's a untested patch that "should" be correct, can someone test it
please?
thanks,
greg k-h
diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c
index 16d1c7a43d33..fe05ae81afd9 100644
--- a/drivers/mmc/host/moxart-mmc.c
+++ b/drivers/mmc/host/moxart-mmc.c
@@ -704,14 +704,14 @@ static int moxart_remove(struct platform_device *pdev)
dma_release_channel(host->dma_chan_tx);
if (!IS_ERR_OR_NULL(host->dma_chan_rx))
dma_release_channel(host->dma_chan_rx);
- mmc_remove_host(mmc);
- mmc_free_host(mmc);
-
writel(0, host->base + REG_INTERRUPT_MASK);
writel(0, host->base + REG_POWER_CONTROL);
writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF,
host->base + REG_CLOCK_CONTROL);
+ mmc_remove_host(mmc);
+ mmc_free_host(mmc);
+
return 0;
}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: UAF in moxart_remove
2022-01-11 12:35 ` Greg KH
@ 2022-01-14 8:02 ` Greg KH
0 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2022-01-14 8:02 UTC (permalink / raw)
To: Marcus Meissner, whitehat002 whitehat002, security, linux-mmc,
ulf.hansson, xiyuyang19, tony, yang.lee, colin.king, xiongx18,
security
On Tue, Jan 11, 2022 at 01:35:19PM +0100, Greg KH wrote:
> On Tue, Jan 11, 2022 at 01:10:51PM +0100, Greg KH wrote:
> > On Tue, Jan 11, 2022 at 09:35:11AM +0100, Marcus Meissner wrote:
> > > Hi whitehat002,
> > >
> > > SUSE currently does not build the moxart driver, let me defer you to
> > > security@kernel.org and the MMC maintainers.
> > >
> > > i also opened a bug in our bugzilla just for tracking
> > > https://bugzilla.suse.com/show_bug.cgi?id=1194516
> > >
> > > Ciao, Marcus
> > > On Tue, Jan 11, 2022 at 02:30:32PM +0800, whitehat002 whitehat002 wrote:
> > > > Hello suse security team,
> > > >
> > > > There is a UAF in drivers/mmc/host/moxart-mmc.c
> > > > This is similar with
> > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42933c8aa14be1caa9eda41f65cde8a3a95d3e39
> > > >
> > > >
> > > >
> > > > static int moxart_remove(struct platform_device *pdev)
> > > > {
> > > > struct mmc_host *mmc = dev_get_drvdata(&pdev->dev);
> > > > struct moxart_host *host = mmc_priv(mmc);
> > > >
> > > > dev_set_drvdata(&pdev->dev, NULL);
> > > >
> > > > if (!IS_ERR_OR_NULL(host->dma_chan_tx))
> > > > dma_release_channel(host->dma_chan_tx);
> > > > if (!IS_ERR_OR_NULL(host->dma_chan_rx))
> > > > dma_release_channel(host->dma_chan_rx);
> > > > mmc_remove_host(mmc);
> > > > mmc_free_host(mmc); //[0] free
> > > >
> > > > writel(0, host->base + REG_INTERRUPT_MASK); //[1] host is private data from
> > > > mmc_host UAF
> > > > writel(0, host->base + REG_POWER_CONTROL);
> > > > writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF,
> > > > host->base + REG_CLOCK_CONTROL);
> > > >
> > > > return 0;
> > > > }
> > > >
> >
> > Can you write a patch to fix this so that you can get proper credit for
> > fixing it as well as finding it?
>
> Here's a untested patch that "should" be correct, can someone test it
> please?
>
> thanks,
>
> greg k-h
>
>
> diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c
> index 16d1c7a43d33..fe05ae81afd9 100644
> --- a/drivers/mmc/host/moxart-mmc.c
> +++ b/drivers/mmc/host/moxart-mmc.c
> @@ -704,14 +704,14 @@ static int moxart_remove(struct platform_device *pdev)
> dma_release_channel(host->dma_chan_tx);
> if (!IS_ERR_OR_NULL(host->dma_chan_rx))
> dma_release_channel(host->dma_chan_rx);
> - mmc_remove_host(mmc);
> - mmc_free_host(mmc);
> -
> writel(0, host->base + REG_INTERRUPT_MASK);
> writel(0, host->base + REG_POWER_CONTROL);
> writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF,
> host->base + REG_CLOCK_CONTROL);
>
> + mmc_remove_host(mmc);
> + mmc_free_host(mmc);
> +
> return 0;
> }
>
I've sent a "better" version of this patch upstream for inclusion now:
https://lore.kernel.org/all/20220114075934.302464-1-gregkh@linuxfoundation.org/
As this path can only be hit if you have root privileges to unload the
module, it's not really that much of a "security" issue.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-01-14 8:02 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CAF6NKdZ6FOhJAXkFMgcr-+UcnfxoDc_p69nFxABHu+7b=FW36A@mail.gmail.com>
2022-01-11 8:35 ` UAF in moxart_remove Marcus Meissner
2022-01-11 12:10 ` Greg KH
2022-01-11 12:35 ` Greg KH
2022-01-14 8:02 ` Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.