From: Greg KH <gregkh@linuxfoundation.org>
To: zhangfeionline@gmail.com
Cc: rafael@kernel.org, linux-kernel@vger.kernel.org,
songmuchun@bytedance.com
Subject: Re: [PATCH] driver core: Fix possible use after free on name
Date: Sun, 5 Apr 2020 18:40:06 +0200 [thread overview]
Message-ID: <20200405164006.GA1582475@kroah.com> (raw)
In-Reply-To: <1586102749-3364-1-git-send-email-zhangfeionline@gmail.com>
On Sun, Apr 05, 2020 at 09:05:49AM -0700, zhangfeionline@gmail.com wrote:
> From: PengfeiZhang <zhangfeionline@gmail.com>
>
> __class_create() copies the pointer to the name passed as an
> argument only to be used later. But there's a chance the caller
> could immediately free the passed string(e.g., local variable).
> This could trigger a use after free when we use class name(e.g.,
> dev_uevent_name()called by device_destroy(),class_create_release()).
>
> To be on the safe side: duplicate the string with kstrdup_const()
> so that if an unaware user passes an address to a stack-allocated
> buffer, we won't get the arbitrary name and crash.
Where are you seeing this happen?
>
> Signed-off-by: PengfeiZhang <zhangfeionline@gmail.com>
> ---
> drivers/base/class.c | 17 +++++++++++++++--
> 1 file changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/base/class.c b/drivers/base/class.c
> index bcd410e..770b3b3 100644
> --- a/drivers/base/class.c
> +++ b/drivers/base/class.c
> @@ -206,6 +206,7 @@ void class_unregister(struct class *cls)
> static void class_create_release(struct class *cls)
> {
> pr_debug("%s called for %s\n", __func__, cls->name);
> + kfree_const(cls->name);
> kfree(cls);
> }
>
> @@ -227,7 +228,10 @@ struct class *__class_create(struct module *owner, const char *name,
> struct lock_class_key *key)
> {
> struct class *cls;
> - int retval;
> + int retval = -EINVAL;
> +
> + if (!name)
> + goto done;
This is a new change, who calls this function with name not being set?
>
> cls = kzalloc(sizeof(*cls), GFP_KERNEL);
> if (!cls) {
> @@ -235,18 +239,27 @@ struct class *__class_create(struct module *owner, const char *name,
> goto error;
> }
>
> + name = kstrdup_const(name, GFP_KERNEL);
> + if (!name) {
> + retval = -ENOMEM;
> + goto error;
> + }
and overwriting the pointer like that is bad-form, try doing something
else here instead.
> +
> cls->name = name;
> cls->owner = owner;
> cls->class_release = class_create_release;
>
> retval = __class_register(cls, key);
> if (retval)
> - goto error;
> + goto error_class_register;
>
> return cls;
>
> +error_class_register:
> + kfree(cls->name);
kfree_const()?
thanks,
greg k-h
next prev parent reply other threads:[~2020-04-05 16:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-05 16:05 [PATCH] driver core: Fix possible use after free on name zhangfeionline
2020-04-05 16:40 ` Greg KH [this message]
2020-04-06 5:33 ` Fei Zhang
2020-04-06 5:41 ` Greg KH
2020-04-06 7:40 ` Fei Zhang
2020-04-06 8:28 ` Greg KH
2020-04-06 10:42 ` [External] " 宋牧春
2020-04-06 11:16 ` Greg KH
[not found] ` <CAC_bin+tzPeHX2bAz+0hY+qKsBn4-vMuqFvYvW05bDGv32SzEw@mail.gmail.com>
2020-04-07 15:01 ` Greg KH
2020-04-06 11:04 ` 宋牧春
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200405164006.GA1582475@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=songmuchun@bytedance.com \
--cc=zhangfeionline@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox