From: Zijun Hu <zijun_hu@icloud.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Rafael J. Wysocki" <rafael@kernel.org>
Cc: Zijun Hu <zijun_hu@icloud.com>,
linux-kernel@vger.kernel.org, Zijun Hu <quic_zijuhu@quicinc.com>,
stable@vger.kernel.org
Subject: [PATCH 1/3] driver core: class: Fix wild pointer dereference in API class_dev_iter_next()
Date: Tue, 05 Nov 2024 08:20:22 +0800 [thread overview]
Message-ID: <20241105-class_fix-v1-1-80866f9994a5@quicinc.com> (raw)
In-Reply-To: <20241105-class_fix-v1-0-80866f9994a5@quicinc.com>
From: Zijun Hu <quic_zijuhu@quicinc.com>
class_dev_iter_init(struct class_dev_iter *iter, struct class *class, ...)
has return type void, but it does not initialize its output parameter @iter
when suffers class_to_subsys(@class) error, so caller can not detect the
error and call API class_dev_iter_next(@iter) which will dereference wild
pointers of @iter's members as shown by below typical usage:
// @iter's members are wild pointers
struct class_dev_iter iter;
// No change in @iter when the error happens.
class_dev_iter_init(&iter, ...);
// dereference these wild member pointers here.
while (dev = class_dev_iter_next(&iter)) { ... }.
Actually, all callers of the API have such usage pattern in kernel tree.
Fix by memset() @iter in API *_init() and error checking @iter in *_next().
Fixes: 7b884b7f24b4 ("driver core: class.c: convert to only use class_to_subsys")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
---
Alternative fix solutions ever thought about:
1) Use BUG_ON(!sp) instead of error return in class_dev_iter_init().
2) Change class_dev_iter_init()'s type to int, lots of jobs to do.
---
drivers/base/class.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/base/class.c b/drivers/base/class.c
index cb5359235c70..b331dda002e3 100644
--- a/drivers/base/class.c
+++ b/drivers/base/class.c
@@ -323,8 +323,11 @@ void class_dev_iter_init(struct class_dev_iter *iter, const struct class *class,
struct subsys_private *sp = class_to_subsys(class);
struct klist_node *start_knode = NULL;
- if (!sp)
+ memset(iter, 0, sizeof(*iter));
+ if (!sp) {
+ pr_crit("%s: the class was not registered yet\n", __func__);
return;
+ }
if (start)
start_knode = &start->p->knode_class;
@@ -351,6 +354,9 @@ struct device *class_dev_iter_next(struct class_dev_iter *iter)
struct klist_node *knode;
struct device *dev;
+ if (!iter->sp)
+ return NULL;
+
while (1) {
knode = klist_next(&iter->ki);
if (!knode)
--
2.34.1
next prev parent reply other threads:[~2024-11-05 0:21 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-05 0:20 [PATCH 0/3] driver core: class: Fix bug and code improvements for class APIs Zijun Hu
2024-11-05 0:20 ` Zijun Hu [this message]
2024-11-12 11:43 ` [PATCH 1/3] driver core: class: Fix wild pointer dereference in API class_dev_iter_next() Greg Kroah-Hartman
2024-11-12 14:46 ` Zijun Hu
2024-11-12 14:57 ` Greg Kroah-Hartman
2024-11-12 15:05 ` Zijun Hu
2024-11-13 12:39 ` Zijun Hu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241105-class_fix-v1-1-80866f9994a5@quicinc.com \
--to=zijun_hu@icloud.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=quic_zijuhu@quicinc.com \
--cc=rafael@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox