From: Greg KH <gregkh@linuxfoundation.org>
To: Zheng Hacker <hackerzheng666@gmail.com>
Cc: Yongqin Liu <yongqin.liu@linaro.org>,
John Stultz <jstultz@google.com>, Zheng Wang <zyytlz.wz@163.com>,
Sumit Semwal <sumit.semwal@linaro.org>,
arnd@arndb.de, linux-kernel@vger.kernel.org,
1395428693sheep@gmail.com, alex000young@gmail.com,
Mauro Carvalho Chehab <mchehab@kernel.org>
Subject: Re: [PATCH] misc: hisi_hikey_usb: Fix use after free bug in hisi_hikey_usb_remove due to race condition
Date: Thu, 13 Apr 2023 14:47:58 +0200 [thread overview]
Message-ID: <2023041308-nerd-dry-98a6@gregkh> (raw)
In-Reply-To: <CAJedcCzm3MqYe3QGT7V4sMmDsVHbjVSnEc2NXWPMGVZL=a_cBA@mail.gmail.com>
On Thu, Apr 13, 2023 at 07:12:07PM +0800, Zheng Hacker wrote:
> Yongqin Liu <yongqin.liu@linaro.org> 于2023年4月13日周四 18:55写道:
> >
> > Hi, Zheng
> >
> > On Thu, 13 Apr 2023 at 16:08, Zheng Hacker <hackerzheng666@gmail.com> wrote:
> > >
> > > Friendly ping about the bug.
> >
> > Sorry, wasn't aware of this message before,
> >
> > Could you please help share the instructions to reproduce the problem
> > this change fixes?
> >
>
> Hi Yongqin,
>
> Thanks for your reply. This bug is found by static analysis. There is no PoC.
>
> >From my personal experience, triggering race condition bugs stably in
> the kernel needs some tricks.
> For example, you can insert some sleep-time code to slow down the
> thread until the related object is freed.
> Besides, you can use gdb to control the time window. Also, there are
> some other tricks as [1] said.
>
> As for the reproduction, this attack vector requires that the attacker
> can physically access the device.
> When he/she unplugs the usb, the remove function is triggered, and if
> the set callback is invoked, there might be a race condition.
How does the removal of the USB device trigger a platform device
removal?
Are you sure this can be triggered by some other way other than manually
unloading the driver?
thanks,
greg k-h
next prev parent reply other threads:[~2023-04-13 12:48 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-12 14:53 [PATCH] misc: hisi_hikey_usb: Fix use after free bug in hisi_hikey_usb_remove due to race condition Zheng Wang
2023-03-13 19:57 ` John Stultz
2023-03-14 1:01 ` Zheng Hacker
2023-04-13 8:07 ` Zheng Hacker
2023-04-13 10:55 ` Yongqin Liu
2023-04-13 11:12 ` Zheng Hacker
2023-04-13 12:47 ` Greg KH [this message]
2023-04-13 15:35 ` Zheng Hacker
2023-04-13 15:56 ` Greg KH
2023-04-13 16:46 ` Zheng Hacker
2023-04-17 17:31 ` Yongqin Liu
2023-04-18 13:18 ` Zheng Hacker
2023-04-20 6:30 ` Yongqin Liu
2023-04-21 2:35 ` Zheng Hacker
2023-04-21 15:42 ` Yongqin Liu
2023-04-22 17:09 ` Zheng Hacker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2023041308-nerd-dry-98a6@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=1395428693sheep@gmail.com \
--cc=alex000young@gmail.com \
--cc=arnd@arndb.de \
--cc=hackerzheng666@gmail.com \
--cc=jstultz@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=sumit.semwal@linaro.org \
--cc=yongqin.liu@linaro.org \
--cc=zyytlz.wz@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox