From mboxrd@z Thu Jan 1 00:00:00 1970 From: Nicolas Saenz Julienne Date: Mon, 25 Jan 2021 17:31:25 +0100 Subject: [PATCH 0/2] Console/stdio use after free In-Reply-To: References: <20210120140454.4286-1-nsaenzjulienne@suse.de> Message-ID: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hi Andy, Simon On Wed, 2021-01-20 at 17:57 +0200, Andy Shevchenko wrote: > On Wed, Jan 20, 2021 at 4:05 PM Nicolas Saenz Julienne > wrote: > > > > With today's master, 70c2525c0d3c ('IOMUX: Stop dropped consoles') > > introduces a use after free in usb_kbd_remove(): > > > > - usbkbd's stdio device is de-registered with stdio_deregister_dev(), > > ??the struct stdio_dev is freed. > > > > - iomux_doenv() is called, usbkbd removed from the console list, and > > ??console_stop() is called on the struct stdio_dev pointer that no > > ??longer exists. > > > > This series mitigates this by making sure the pointer is really a stdio > > device prior performing the stop operation. It's not ideal, but I > > couldn't figure out a nicer way to fix this. > > Thanks for the report and indeed this sounds like a papering over the > real issue somewhere else. > If we have a device in the console_list, IOMUX may access it. So, > whenever we drop device, we must update console_list accordingly. Sorry, but I don't have time to address this ATM. If someone else can it'd be nice. Regards, Nicolas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part URL: