From: Thomas Gleixner <tglx@linutronix.de>
To: Walter Wu <walter-zh.wu@mediatek.com>
Cc: Marco Elver <elver@google.com>,
wsd_upstream <wsd_upstream@mediatek.com>,
Stephen Boyd <sboyd@kernel.org>,
Alexander Potapenko <glider@google.com>,
linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org,
kasan-dev@googlegroups.com, linux-mm@kvack.org,
John Stultz <john.stultz@linaro.org>,
linux-arm-kernel@lists.infradead.org,
Andrey Konovalov <andreyknvl@google.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Andrew Morton <akpm@linux-foundation.org>,
Dmitry Vyukov <dvyukov@google.com>
Subject: Re: [PATCH v4 1/6] timer: kasan: record timer stack
Date: Wed, 30 Sep 2020 09:18:40 +0200 [thread overview]
Message-ID: <87pn63ivfz.fsf@nanos.tec.linutronix.de> (raw)
In-Reply-To: <1601140312.15228.12.camel@mtksdccf07>
Walter,
On Sun, Sep 27 2020 at 01:11, Walter Wu wrote:
> First, I think the commit log “Because if the UAF root cause is in timer
> init …” needs to be removed, this patch hopes to help programmer gets
> timer callback is where is registered. It is useful only if free stack
> is called from timer callback, because programmer can see why & where
> register this function.
>
> Second, see [1], it should satisfies first point. The free stack is from
> timer callback, if we know where register this function, then it should
> be useful to solve UAF.
No. It's completely useless.
The problem has absolutely nothing to do with the timer callback and the
timer_init() invocation which set the timer's callback to 'dummy_timer'.
The timer callback happens to free the object, but the worker thread has
still a reference of some sort.
So the problem is either missing refcounting which allows the timer
callback to free the object or some missing serialization.
Knowing the place which initialized the timer is absolutely not helping
to figure out what's missing here.
Aside of that it's trivial enough to do:
git grep dummy_timer drivers/usb/gadget/udc/dummy_hcd.c
if you really want to know what initialized it:
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
That said, I'm all for adding useful information to KASAN or whatever
reports, but I'm not agreeing with the approach of 'Let's sprinkle
kasan_foo() all over tha place and claim it is useful to decode an UAF'.
Adding irrelevant information to a report is actually counter productive
because it makes people look at the wrong place.
Again: Provide an analysis of such a dump where the timer_init()
function is a key element of solving the problem.
Thanks,
tglx
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
prev parent reply other threads:[~2020-09-30 7:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-24 4:03 [PATCH v4 1/6] timer: kasan: record timer stack Walter Wu
2020-09-24 21:41 ` Thomas Gleixner
2020-09-25 7:18 ` Walter Wu
2020-09-25 8:55 ` Thomas Gleixner
2020-09-25 9:15 ` Walter Wu
2020-09-25 22:59 ` Thomas Gleixner
2020-09-26 17:11 ` Walter Wu
2020-09-30 7:18 ` Thomas Gleixner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pn63ivfz.fsf@nanos.tec.linutronix.de \
--to=tglx@linutronix.de \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@google.com \
--cc=aryabinin@virtuozzo.com \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=john.stultz@linaro.org \
--cc=kasan-dev@googlegroups.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-mm@kvack.org \
--cc=matthias.bgg@gmail.com \
--cc=sboyd@kernel.org \
--cc=walter-zh.wu@mediatek.com \
--cc=wsd_upstream@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).