All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: Mathias Krause <minipli@grsecurity.net>
Cc: Dan Carpenter <dan.carpenter@linaro.org>,
	Torsten Hilbrich <torsten.hilbrich@secunet.com>,
	Nick Dyer <nick@shmanahar.org>,
	Jiapeng Chong <jiapeng.chong@linux.alibaba.com>,
	linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
	Brad Spengler <spender@grsecurity.net>,
	Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH] Input: synaptics-rmi4 - fix use after free (more completely) -- but not fully ;)
Date: Thu, 7 Mar 2024 16:30:28 -0800	[thread overview]
Message-ID: <ZepcJAhn_JYJcz3F@google.com> (raw)
In-Reply-To: <61786e1d-35dc-4cf1-a152-fba363c94520@grsecurity.net>

On Thu, Feb 22, 2024 at 03:19:49PM +0100, Mathias Krause wrote:
> On 22.02.24 15:08, Mathias Krause wrote:
> >>
> >> The bug is that we must not call device_del() until after calling
> >> irq_dispose_mapping().
> > 
> > Unfortunately, this is only half the truth. We investigated this further
> > and there's another bug that got introduced in commit 24d28e4f1271
> > ("Input: synaptics-rmi4 - convert irq distribution to irq_domain"). The
> > IRQ domain has a UAF issue as well. I'll send the patch soon -- wanted
> > to do so this week, but, again, more urgent matters interrupted this.
> 
> Unfortunately, I send that Email too fast. Looking at the backtrace
> again, it's just the other bug that needs fixing (a UAF in
> rmi_driver_remove()). Will sent a patch really soon now!
> 
> > 
> >>
> >> Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain")
> >> Reported-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
> >> Closes: https://lore.kernel.org/all/1932038e-2776-04ac-5fcd-b15bb3cd088d@secunet.com/
> >> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=215604
> >> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> >> ---
> >>  drivers/input/rmi4/rmi_bus.c | 5 ++---
> >>  1 file changed, 2 insertions(+), 3 deletions(-)
> >>
> >> diff --git a/drivers/input/rmi4/rmi_bus.c b/drivers/input/rmi4/rmi_bus.c
> >> index 1b45b1d3077d..02acc81b9d3e 100644
> >> --- a/drivers/input/rmi4/rmi_bus.c
> >> +++ b/drivers/input/rmi4/rmi_bus.c
> >> @@ -275,12 +275,11 @@ void rmi_unregister_function(struct rmi_function *fn)
> >>  	rmi_dbg(RMI_DEBUG_CORE, &fn->dev, "Unregistering F%02X.\n",
> >>  			fn->fd.function_number);
> >>  
> >> -	device_del(&fn->dev);
> >> -	of_node_put(fn->dev.of_node);
> >> -
> >>  	for (i = 0; i < fn->num_of_irqs; i++)
> >>  		irq_dispose_mapping(fn->irq[i]);
> >>  
> >> +	device_del(&fn->dev);
> >> +	of_node_put(fn->dev.of_node);
> >>  	put_device(&fn->dev);
> >>  }
> >>  
> > 
> > Acked-by: Mathias Krause <minipli@grsecurity.net>
> 
> So, forget about that one, sorry.

Right, I do not think this patch is needed. The "fn" will stay in memory
until the last reference to fn->dev is dropped. So the original patch
was enough for this particular issue, and Mathias' patch fixes slightly
different UAF.

Thanks.

-- 
Dmitry

      reply	other threads:[~2024-03-08  0:30 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-22  8:53 [PATCH] Input: synaptics-rmi4 - fix use after free (more completely) Dan Carpenter
2024-02-22 14:08 ` [PATCH] Input: synaptics-rmi4 - fix use after free (more completely) -- but not fully ;) Mathias Krause
2024-02-22 14:19   ` Mathias Krause
2024-03-08  0:30     ` Dmitry Torokhov [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZepcJAhn_JYJcz3F@google.com \
    --to=dmitry.torokhov@gmail.com \
    --cc=dan.carpenter@linaro.org \
    --cc=jiapeng.chong@linux.alibaba.com \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=minipli@grsecurity.net \
    --cc=nick@shmanahar.org \
    --cc=sashal@kernel.org \
    --cc=spender@grsecurity.net \
    --cc=torsten.hilbrich@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.