From: Greg KH <gregkh@linuxfoundation.org>
To: Zheng Hacker <hackerzheng666@gmail.com>
Cc: Yongqin Liu <yongqin.liu@linaro.org>,
John Stultz <jstultz@google.com>, Zheng Wang <zyytlz.wz@163.com>,
Sumit Semwal <sumit.semwal@linaro.org>,
arnd@arndb.de, linux-kernel@vger.kernel.org,
1395428693sheep@gmail.com, alex000young@gmail.com,
Mauro Carvalho Chehab <mchehab@kernel.org>
Subject: Re: [PATCH] misc: hisi_hikey_usb: Fix use after free bug in hisi_hikey_usb_remove due to race condition
Date: Thu, 13 Apr 2023 14:47:58 +0200 [thread overview]
Message-ID: <2023041308-nerd-dry-98a6@gregkh> (raw)
In-Reply-To: <CAJedcCzm3MqYe3QGT7V4sMmDsVHbjVSnEc2NXWPMGVZL=a_cBA@mail.gmail.com>
On Thu, Apr 13, 2023 at 07:12:07PM +0800, Zheng Hacker wrote:
> Yongqin Liu <yongqin.liu@linaro.org> 于2023年4月13日周四 18:55写道:
> >
> > Hi, Zheng
> >
> > On Thu, 13 Apr 2023 at 16:08, Zheng Hacker <hackerzheng666@gmail.com> wrote:
> > >
> > > Friendly ping about the bug.
> >
> > Sorry, wasn't aware of this message before,
> >
> > Could you please help share the instructions to reproduce the problem
> > this change fixes?
> >
>
> Hi Yongqin,
>
> Thanks for your reply. This bug is found by static analysis. There is no PoC.
>
> >From my personal experience, triggering race condition bugs stably in
> the kernel needs some tricks.
> For example, you can insert some sleep-time code to slow down the
> thread until the related object is freed.
> Besides, you can use gdb to control the time window. Also, there are
> some other tricks as [1] said.
>
> As for the reproduction, this attack vector requires that the attacker
> can physically access the device.
> When he/she unplugs the usb, the remove function is triggered, and if
> the set callback is invoked, there might be a race condition.
How does the removal of the USB device trigger a platform device
removal?
Are you sure this can be triggered by some other way other than manually
unloading the driver?
thanks,
greg k-h
next prev parent reply other threads:[~2023-04-13 12:48 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-12 14:53 [PATCH] misc: hisi_hikey_usb: Fix use after free bug in hisi_hikey_usb_remove due to race condition Zheng Wang
2023-03-13 19:57 ` John Stultz
2023-03-14 1:01 ` Zheng Hacker
2023-04-13 8:07 ` Zheng Hacker
2023-04-13 10:55 ` Yongqin Liu
2023-04-13 11:12 ` Zheng Hacker
2023-04-13 12:47 ` Greg KH [this message]
2023-04-13 15:35 ` Zheng Hacker
2023-04-13 15:56 ` Greg KH
2023-04-13 16:46 ` Zheng Hacker
2023-04-17 17:31 ` Yongqin Liu
2023-04-18 13:18 ` Zheng Hacker
2023-04-20 6:30 ` Yongqin Liu
2023-04-21 2:35 ` Zheng Hacker
2023-04-21 15:42 ` Yongqin Liu
2023-04-22 17:09 ` Zheng Hacker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2023041308-nerd-dry-98a6@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=1395428693sheep@gmail.com \
--cc=alex000young@gmail.com \
--cc=arnd@arndb.de \
--cc=hackerzheng666@gmail.com \
--cc=jstultz@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=sumit.semwal@linaro.org \
--cc=yongqin.liu@linaro.org \
--cc=zyytlz.wz@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.