Re: [PATCH] HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
To: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Cc: sre@kernel.org, rdunlap@infradead.org,
	linux-kernel@vger.kernel.org, 21210240012@m.fudan.edu.cn,
	21302010073@m.fudan.edu.cn
Subject: Re: [PATCH] HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
Date: Wed, 11 Sep 2024 18:51:10 +0300	[thread overview]
Message-ID: <ZuG8bshFbcmjVC9L@smile.fi.intel.com> (raw)
In-Reply-To: <20240911151915.844957-1-kxwang23@m.fudan.edu.cn>

On Wed, Sep 11, 2024 at 11:19:15PM +0800, Kaixin Wang wrote:
> In the ssi_protocol_probe function, &ssi->work is bound with
> ssip_xmit_work, In ssip_pn_setup, the ssip_pn_xmit function
> within the ssip_pn_ops structure is capable of starting the
> work.
> 
> If we remove the module which will call ssi_protocol_remove
> to make a cleanup, it will free ssi through kfree(ssi),
> while the work mentioned above will be used. The sequence
> of operations that may lead to a UAF bug is as follows:
> 
> CPU0                                    CPU1
> 
>                         | ssip_xmit_work
> ssi_protocol_remove     |
> kfree(ssi);             |
>                         | struct hsi_client *cl = ssi->cl;
>                         | // use ssi
> 
> Fix it by ensuring that the work is canceled before proceeding
> with the cleanup in ssi_protocol_remove

Sounds legit to me. But I have no time to review, FWIW,
Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

I believe Sebastian will conduct a proper review before applying.

-- 
With Best Regards,
Andy Shevchenko

next prev parent reply	other threads:[~2024-09-11 15:51 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-11 15:19 [PATCH] HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition Kaixin Wang
2024-09-11 15:51 ` Andy Shevchenko [this message]
2024-09-13  6:42 ` kernel test robot
2024-09-14  7:20 ` Sebastian Reichel
2024-09-14 17:10   ` Kaixin Wang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZuG8bshFbcmjVC9L@smile.fi.intel.com \
    --to=andriy.shevchenko@linux.intel.com \
    --cc=21210240012@m.fudan.edu.cn \
    --cc=21302010073@m.fudan.edu.cn \
    --cc=kxwang23@m.fudan.edu.cn \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rdunlap@infradead.org \
    --cc=sre@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.