Re: [PATCH] misc: hisi_hikey_usb: Fix use after free bug in hisi_hikey_usb_remove due to race condition

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: Zheng Hacker <hackerzheng666@gmail.com>
Cc: Yongqin Liu <yongqin.liu@linaro.org>,
	John Stultz <jstultz@google.com>, Zheng Wang <zyytlz.wz@163.com>,
	Sumit Semwal <sumit.semwal@linaro.org>,
	arnd@arndb.de, linux-kernel@vger.kernel.org,
	1395428693sheep@gmail.com, alex000young@gmail.com,
	Mauro Carvalho Chehab <mchehab@kernel.org>
Subject: Re: [PATCH] misc: hisi_hikey_usb: Fix use after free bug in hisi_hikey_usb_remove due to race condition
Date: Thu, 13 Apr 2023 17:56:06 +0200	[thread overview]
Message-ID: <2023041308-unvisited-slinky-a56f@gregkh> (raw)
In-Reply-To: <CAJedcCyeM2a79i0=ffKwdKfnQayo7svhTTEth2ka6K9np0Ztiw@mail.gmail.com>

On Thu, Apr 13, 2023 at 11:35:17PM +0800, Zheng Hacker wrote:
> Greg KH <gregkh@linuxfoundation.org> 于2023年4月13日周四 20:48写道：
> >
> > On Thu, Apr 13, 2023 at 07:12:07PM +0800, Zheng Hacker wrote:
> > > Yongqin Liu <yongqin.liu@linaro.org> 于2023年4月13日周四 18:55写道：
> > > >
> > > > Hi, Zheng
> > > >
> > > > On Thu, 13 Apr 2023 at 16:08, Zheng Hacker <hackerzheng666@gmail.com> wrote:
> > > > >
> > > > > Friendly ping about the bug.
> > > >
> > > > Sorry, wasn't aware of this message before,
> > > >
> > > > Could you please help share the instructions to reproduce the problem
> > > > this change fixes?
> > > >
> > >
> > > Hi Yongqin,
> > >
> > > Thanks for your reply. This bug is found by static analysis. There is no PoC.
> > >
> > > >From my personal experience, triggering race condition bugs stably in
> > > the kernel needs some tricks.
> > > For example, you can insert some sleep-time code to slow down the
> > > thread until the related object is freed.
> > > Besides, you can use gdb to control the time window. Also, there are
> > > some other tricks as [1] said.
> > >
> > > As for the reproduction, this attack vector requires that the attacker
> > > can physically access the device.
> > > When he/she unplugs the usb, the remove function is triggered, and if
> > > the set callback is invoked, there might be a race condition.
> >
> > How does the removal of the USB device trigger a platform device
> > removal?
> 
> Sorry I made a mistake. The USB device usually calls disconnect
> callback when it's unpluged.

Yes, but you are changing the platform device disconnect, not the USB
device disconnect.

> What I want to express here is When the driver-related device(here
> it's USB GPIO Hub) was removed, the remove function is triggered.

And is this a patform device on a USB device?  If so, that's a bigger
problem that we need to fix as that is not allowed.

But in looking at the code, it does not seem to be that at all, this is
just a "normal" platform device.  So how can it ever be removed from the
system?  (and no, unloading the driver doesn't count, that can never
happen on a normal machine.)

thanks,

greg k-h

next prev parent reply	other threads:[~2023-04-13 15:56 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-12 14:53 [PATCH] misc: hisi_hikey_usb: Fix use after free bug in hisi_hikey_usb_remove due to race condition Zheng Wang
2023-03-13 19:57 ` John Stultz
2023-03-14  1:01   ` Zheng Hacker
2023-04-13  8:07     ` Zheng Hacker
2023-04-13 10:55       ` Yongqin Liu
2023-04-13 11:12         ` Zheng Hacker
2023-04-13 12:47           ` Greg KH
2023-04-13 15:35             ` Zheng Hacker
2023-04-13 15:56               ` Greg KH [this message]
2023-04-13 16:46                 ` Zheng Hacker
2023-04-17 17:31                   ` Yongqin Liu
2023-04-18 13:18                     ` Zheng Hacker
2023-04-20  6:30                       ` Yongqin Liu
2023-04-21  2:35                         ` Zheng Hacker
2023-04-21 15:42                           ` Yongqin Liu
2023-04-22 17:09                             ` Zheng Hacker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2023041308-unvisited-slinky-a56f@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=1395428693sheep@gmail.com \
    --cc=alex000young@gmail.com \
    --cc=arnd@arndb.de \
    --cc=hackerzheng666@gmail.com \
    --cc=jstultz@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=sumit.semwal@linaro.org \
    --cc=yongqin.liu@linaro.org \
    --cc=zyytlz.wz@163.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox