From: "Luis R. Rodriguez" <mcgrof@suse.com>
To: ming.lei@canonical.com, gregkh@linuxfoundation.org
Cc: rusty@rustcorp.com.au, dhowells@redhat.com,
ming.lei@canonical.com, seth.forshee@canonical.com,
kyle@kernel.org, akpm@linux-foundation.org,
keescook@chromium.org, casey@schaufler-ca.com, tiwai@suse.de,
mjg59@srcf.ucam.org, wireless-regdb@lists.infradead.org,
linux-wireless@vger.kernel.org, jlee@suse.com,
"linux-kernel@vger.kernel.org Luis R. Rodriguez"
<mcgrof@do-not-panic.com>
Subject: Re: [PATCH v1 04/12] firmware: fix possible use after free on name on asynchronous request
Date: Fri, 8 May 2015 21:23:04 +0200 [thread overview]
Message-ID: <20150508192304.GD20018@wotan.suse.de> (raw)
In-Reply-To: <1430873070-7290-5-git-send-email-mcgrof@do-not-panic.com>
On Tue, May 05, 2015 at 05:44:22PM -0700, Luis R. Rodriguez wrote:
> From: "Luis R. Rodriguez" <mcgrof@suse.com>
>
> Asynchronous firmware loading copies the pointer to the
> name passed as an argument only to be scheduled later and
> used. This behaviour works well for synchronous calling
> but in asynchronous mode there's a chance the caller could
> immediately free the passed string after making the
> asynchronous call. This could trigger a use after free
> having the kernel look on disk for arbitrary file names.
<-- snip -->
> Unfortunatley in the worst and most common case however you
> can typically crash your system with a page fault by trying to
> free something which you cannot, and/or a NULL pointer
> dereference [1].
I've found a few more bugs in this code that should be
stable fixes. Since the fixes are all related there is
an alternative approach to the problem here which would
require us to just deal with PATH_MAX a few times in code
for firmware requests. Although that does increase the
allocation required by a few KB I think the simplicity
is worth it. So if this patch has not yet been applied
I will send out a new series of fixes addressing name
issues through an alternative approach and implementation
preferences so please yield applying this yet, if it has
already been applied / submitted upstream let me know.
Luis
next prev parent reply other threads:[~2015-05-08 19:23 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-06 0:44 [RFC v1 00/12] kernel/firmware/wireless: firmware digital signature checks Luis R. Rodriguez
2015-05-06 0:44 ` [PATCH v1 01/12] kernel/params.c: export param_ops_bool_enable_only Luis R. Rodriguez
2015-05-08 17:56 ` Rusty Russell
2015-05-06 0:44 ` [PATCH v1 02/12] kernel: generalize module signing as system data signing Luis R. Rodriguez
2015-05-07 1:07 ` Rusty Russell
2015-05-06 0:44 ` [PATCH v1 03/12] crypto: qat - address recursive dependency when fw signing is enabled Luis R. Rodriguez
2015-05-06 3:33 ` Herbert Xu
2015-05-07 8:42 ` Paul Bolle
2015-05-07 18:06 ` Paul Bolle
2015-05-07 18:28 ` Luis R. Rodriguez
2015-05-07 20:14 ` Paul Bolle
2015-05-08 21:53 ` Paul Bolle
2015-05-12 16:08 ` Luis R. Rodriguez
2015-05-18 20:01 ` Luis R. Rodriguez
2015-05-18 20:45 ` Paul Bolle
2015-05-19 0:09 ` Luis R. Rodriguez
2015-05-19 8:02 ` Paul Bolle
2015-05-19 15:46 ` Luis R. Rodriguez
2015-05-19 22:59 ` Herbert Xu
2015-05-19 23:03 ` Herbert Xu
2015-05-19 23:05 ` Luis R. Rodriguez
2015-05-20 2:49 ` Herbert Xu
2015-05-20 9:00 ` Paul Bolle
2015-05-20 21:19 ` Luis R. Rodriguez
2015-05-06 0:44 ` [PATCH v1 04/12] firmware: fix possible use after free on name on asynchronous request Luis R. Rodriguez
2015-05-08 19:23 ` Luis R. Rodriguez [this message]
2015-05-06 0:44 ` [RFC v1 05/12] firmware: add firmware signature checking support Luis R. Rodriguez
2015-05-06 0:44 ` [RFC v1 06/12] firmware: generalize "firmware" as "system data" helpers Luis R. Rodriguez
2015-05-06 0:44 ` [RFC v1 07/12] firmware: add generic system data helpers with signature support Luis R. Rodriguez
2015-05-06 0:44 ` [RFC v1 08/12] p54spi: use sysdata_file_request() for EEPROM optional system data Luis R. Rodriguez
2015-05-06 0:44 ` [RFC v1 09/12] p54: use sysdata_file_request() and sysdata_file_request_async() Luis R. Rodriguez
2015-05-06 0:44 ` [RFC v1 10/12] ath9k_htc: " Luis R. Rodriguez
2015-05-06 0:44 ` [RFC v1 11/12] iwlwifi: " Luis R. Rodriguez
2015-05-06 7:03 ` Johannes Berg
2015-05-06 16:44 ` Luis R. Rodriguez
2015-05-06 0:44 ` [RFC v1 12/12] cfg80211: request for regulatory system data file Luis R. Rodriguez
2015-05-06 12:08 ` [PATCH v1 02/12] kernel: generalize module signing as system data signing David Howells
2015-05-06 16:57 ` [RFC v1 05/12] firmware: add firmware signature checking support David Howells
2015-05-06 17:31 ` Luis R. Rodriguez
2015-05-06 17:55 ` [RFC v1 00/12] kernel/firmware/wireless: firmware digital signature checks Luis R. Rodriguez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150508192304.GD20018@wotan.suse.de \
--to=mcgrof@suse.com \
--cc=akpm@linux-foundation.org \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=jlee@suse.com \
--cc=keescook@chromium.org \
--cc=kyle@kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=mcgrof@do-not-panic.com \
--cc=ming.lei@canonical.com \
--cc=mjg59@srcf.ucam.org \
--cc=rusty@rustcorp.com.au \
--cc=seth.forshee@canonical.com \
--cc=tiwai@suse.de \
--cc=wireless-regdb@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).