* [PATCH v2] thermal/core: fix a UAF bug in __thermal_cooling_device_register()
@ 2021-10-15 2:45 Ziyang Xuan
2021-10-15 12:25 ` Rafael J. Wysocki
0 siblings, 1 reply; 3+ messages in thread
From: Ziyang Xuan @ 2021-10-15 2:45 UTC (permalink / raw)
To: rafael, daniel.lezcano; +Cc: amitk, rui.zhang, linux-pm, linux-kernel
When device_register() return failed, program will goto out_kfree_type
to release 'cdev->device' by put_device(). That will call thermal_release()
to free 'cdev'. But the follow-up processes access 'cdev' continually.
That trggers the UAF bug.
====================================================================
BUG: KASAN: use-after-free in __thermal_cooling_device_register+0x75b/0xa90
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
dump_stack_lvl+0xe2/0x152
print_address_description.constprop.0+0x21/0x140
? __thermal_cooling_device_register+0x75b/0xa90
kasan_report.cold+0x7f/0x11b
? __thermal_cooling_device_register+0x75b/0xa90
__thermal_cooling_device_register+0x75b/0xa90
? memset+0x20/0x40
? __sanitizer_cov_trace_pc+0x1d/0x50
? __devres_alloc_node+0x130/0x180
devm_thermal_of_cooling_device_register+0x67/0xf0
max6650_probe.cold+0x557/0x6aa
......
Freed by task 258:
kasan_save_stack+0x1b/0x40
kasan_set_track+0x1c/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0x109/0x140
kfree+0x117/0x4c0
thermal_release+0xa0/0x110
device_release+0xa7/0x240
kobject_put+0x1ce/0x540
put_device+0x20/0x30
__thermal_cooling_device_register+0x731/0xa90
devm_thermal_of_cooling_device_register+0x67/0xf0
max6650_probe.cold+0x557/0x6aa [max6650]
Do not use 'cdev' again after put_device() to fix the problem like doing
in thermal_zone_device_register().
Fixes: 584837618100 ("thermal/drivers/core: Use a char pointer for the cooling device name")
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: kernel test robot <lkp@intel.com>
---
drivers/thermal/thermal_core.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
index 97ef9b040b84..d2c196b298c1 100644
--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
@@ -888,7 +888,7 @@ __thermal_cooling_device_register(struct device_node *np,
{
struct thermal_cooling_device *cdev;
struct thermal_zone_device *pos = NULL;
- int ret;
+ int id, ret;
if (!ops || !ops->get_max_state || !ops->get_cur_state ||
!ops->set_cur_state)
@@ -901,7 +901,7 @@ __thermal_cooling_device_register(struct device_node *np,
ret = ida_simple_get(&thermal_cdev_ida, 0, 0, GFP_KERNEL);
if (ret < 0)
goto out_kfree_cdev;
- cdev->id = ret;
+ cdev->id = id = ret;
cdev->type = kstrdup(type ? type : "", GFP_KERNEL);
if (!cdev->type) {
@@ -942,8 +942,9 @@ __thermal_cooling_device_register(struct device_node *np,
out_kfree_type:
kfree(cdev->type);
put_device(&cdev->device);
+ cdev = NULL;
out_ida_remove:
- ida_simple_remove(&thermal_cdev_ida, cdev->id);
+ ida_simple_remove(&thermal_cdev_ida, id);
out_kfree_cdev:
kfree(cdev);
return ERR_PTR(ret);
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] thermal/core: fix a UAF bug in __thermal_cooling_device_register()
2021-10-15 2:45 [PATCH v2] thermal/core: fix a UAF bug in __thermal_cooling_device_register() Ziyang Xuan
@ 2021-10-15 12:25 ` Rafael J. Wysocki
2021-10-18 1:26 ` Ziyang Xuan (William)
0 siblings, 1 reply; 3+ messages in thread
From: Rafael J. Wysocki @ 2021-10-15 12:25 UTC (permalink / raw)
To: Ziyang Xuan, Daniel Lezcano
Cc: Rafael J. Wysocki, Amit Kucheria, Zhang, Rui, Linux PM,
Linux Kernel Mailing List
On Fri, Oct 15, 2021 at 4:46 AM Ziyang Xuan
<william.xuanziyang@huawei.com> wrote:
>
> When device_register() return failed, program will goto out_kfree_type
> to release 'cdev->device' by put_device(). That will call thermal_release()
> to free 'cdev'. But the follow-up processes access 'cdev' continually.
> That trggers the UAF bug.
>
> ====================================================================
> BUG: KASAN: use-after-free in __thermal_cooling_device_register+0x75b/0xa90
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
> dump_stack_lvl+0xe2/0x152
> print_address_description.constprop.0+0x21/0x140
> ? __thermal_cooling_device_register+0x75b/0xa90
> kasan_report.cold+0x7f/0x11b
> ? __thermal_cooling_device_register+0x75b/0xa90
> __thermal_cooling_device_register+0x75b/0xa90
> ? memset+0x20/0x40
> ? __sanitizer_cov_trace_pc+0x1d/0x50
> ? __devres_alloc_node+0x130/0x180
> devm_thermal_of_cooling_device_register+0x67/0xf0
> max6650_probe.cold+0x557/0x6aa
> ......
>
> Freed by task 258:
> kasan_save_stack+0x1b/0x40
> kasan_set_track+0x1c/0x30
> kasan_set_free_info+0x20/0x30
> __kasan_slab_free+0x109/0x140
> kfree+0x117/0x4c0
> thermal_release+0xa0/0x110
> device_release+0xa7/0x240
> kobject_put+0x1ce/0x540
> put_device+0x20/0x30
> __thermal_cooling_device_register+0x731/0xa90
> devm_thermal_of_cooling_device_register+0x67/0xf0
> max6650_probe.cold+0x557/0x6aa [max6650]
>
> Do not use 'cdev' again after put_device() to fix the problem like doing
> in thermal_zone_device_register().
>
> Fixes: 584837618100 ("thermal/drivers/core: Use a char pointer for the cooling device name")
> Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: kernel test robot <lkp@intel.com>
> ---
> drivers/thermal/thermal_core.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
> index 97ef9b040b84..d2c196b298c1 100644
> --- a/drivers/thermal/thermal_core.c
> +++ b/drivers/thermal/thermal_core.c
> @@ -888,7 +888,7 @@ __thermal_cooling_device_register(struct device_node *np,
> {
> struct thermal_cooling_device *cdev;
> struct thermal_zone_device *pos = NULL;
> - int ret;
> + int id, ret;
>
> if (!ops || !ops->get_max_state || !ops->get_cur_state ||
> !ops->set_cur_state)
> @@ -901,7 +901,7 @@ __thermal_cooling_device_register(struct device_node *np,
> ret = ida_simple_get(&thermal_cdev_ida, 0, 0, GFP_KERNEL);
> if (ret < 0)
> goto out_kfree_cdev;
> - cdev->id = ret;
> + cdev->id = id = ret;
I'd prefer this to be two statements, but I can fix it up.
Daniel, would there be any issues if I applied it?
>
> cdev->type = kstrdup(type ? type : "", GFP_KERNEL);
> if (!cdev->type) {
> @@ -942,8 +942,9 @@ __thermal_cooling_device_register(struct device_node *np,
> out_kfree_type:
> kfree(cdev->type);
> put_device(&cdev->device);
> + cdev = NULL;
> out_ida_remove:
> - ida_simple_remove(&thermal_cdev_ida, cdev->id);
> + ida_simple_remove(&thermal_cdev_ida, id);
> out_kfree_cdev:
> kfree(cdev);
> return ERR_PTR(ret);
> --
> 2.25.1
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] thermal/core: fix a UAF bug in __thermal_cooling_device_register()
2021-10-15 12:25 ` Rafael J. Wysocki
@ 2021-10-18 1:26 ` Ziyang Xuan (William)
0 siblings, 0 replies; 3+ messages in thread
From: Ziyang Xuan (William) @ 2021-10-18 1:26 UTC (permalink / raw)
To: Rafael J. Wysocki, Daniel Lezcano
Cc: Amit Kucheria, Zhang, Rui, Linux PM, Linux Kernel Mailing List
> On Fri, Oct 15, 2021 at 4:46 AM Ziyang Xuan
> <william.xuanziyang@huawei.com> wrote:
>>
>> When device_register() return failed, program will goto out_kfree_type
>> to release 'cdev->device' by put_device(). That will call thermal_release()
>> to free 'cdev'. But the follow-up processes access 'cdev' continually.
>> That trggers the UAF bug.
>>
>> ====================================================================
>> BUG: KASAN: use-after-free in __thermal_cooling_device_register+0x75b/0xa90
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
>> Call Trace:
>> dump_stack_lvl+0xe2/0x152
>> print_address_description.constprop.0+0x21/0x140
>> ? __thermal_cooling_device_register+0x75b/0xa90
>> kasan_report.cold+0x7f/0x11b
>> ? __thermal_cooling_device_register+0x75b/0xa90
>> __thermal_cooling_device_register+0x75b/0xa90
>> ? memset+0x20/0x40
>> ? __sanitizer_cov_trace_pc+0x1d/0x50
>> ? __devres_alloc_node+0x130/0x180
>> devm_thermal_of_cooling_device_register+0x67/0xf0
>> max6650_probe.cold+0x557/0x6aa
>> ......
>>
>> Freed by task 258:
>> kasan_save_stack+0x1b/0x40
>> kasan_set_track+0x1c/0x30
>> kasan_set_free_info+0x20/0x30
>> __kasan_slab_free+0x109/0x140
>> kfree+0x117/0x4c0
>> thermal_release+0xa0/0x110
>> device_release+0xa7/0x240
>> kobject_put+0x1ce/0x540
>> put_device+0x20/0x30
>> __thermal_cooling_device_register+0x731/0xa90
>> devm_thermal_of_cooling_device_register+0x67/0xf0
>> max6650_probe.cold+0x557/0x6aa [max6650]
>>
>> Do not use 'cdev' again after put_device() to fix the problem like doing
>> in thermal_zone_device_register().
>>
>> Fixes: 584837618100 ("thermal/drivers/core: Use a char pointer for the cooling device name")
>> Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
>> Reported-by: kernel test robot <lkp@intel.com>
>> Reported-by: kernel test robot <lkp@intel.com>
>> ---
>> drivers/thermal/thermal_core.c | 7 ++++---
>> 1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
>> index 97ef9b040b84..d2c196b298c1 100644
>> --- a/drivers/thermal/thermal_core.c
>> +++ b/drivers/thermal/thermal_core.c
>> @@ -888,7 +888,7 @@ __thermal_cooling_device_register(struct device_node *np,
>> {
>> struct thermal_cooling_device *cdev;
>> struct thermal_zone_device *pos = NULL;
>> - int ret;
>> + int id, ret;
>>
>> if (!ops || !ops->get_max_state || !ops->get_cur_state ||
>> !ops->set_cur_state)
>> @@ -901,7 +901,7 @@ __thermal_cooling_device_register(struct device_node *np,
>> ret = ida_simple_get(&thermal_cdev_ida, 0, 0, GFP_KERNEL);
>> if (ret < 0)
>> goto out_kfree_cdev;
>> - cdev->id = ret;
>> + cdev->id = id = ret;
>
> I'd prefer this to be two statements, but I can fix it up.
>
> Daniel, would there be any issues if I applied it?
>
OK, no problem.
>>
>> cdev->type = kstrdup(type ? type : "", GFP_KERNEL);
>> if (!cdev->type) {
>> @@ -942,8 +942,9 @@ __thermal_cooling_device_register(struct device_node *np,
>> out_kfree_type:
>> kfree(cdev->type);
>> put_device(&cdev->device);
>> + cdev = NULL;
>> out_ida_remove:
>> - ida_simple_remove(&thermal_cdev_ida, cdev->id);
>> + ida_simple_remove(&thermal_cdev_ida, id);
>> out_kfree_cdev:
>> kfree(cdev);
>> return ERR_PTR(ret);
>> --
>> 2.25.1
>>
> .
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-18 1:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-15 2:45 [PATCH v2] thermal/core: fix a UAF bug in __thermal_cooling_device_register() Ziyang Xuan
2021-10-15 12:25 ` Rafael J. Wysocki
2021-10-18 1:26 ` Ziyang Xuan (William)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).