From: Greg KH <greg@kroah.com>
To: Qiu-ji Chen <chenqiuji666@gmail.com>
Cc: nipun.gupta@amd.com, nikhil.agarwal@amd.com,
linux-kernel@vger.kernel.org, baijiaju1990@gmail.com,
stable@vger.kernel.org
Subject: Re: [PATCH v2] cdx: Fix possible UAF error in driver_override_show()
Date: Tue, 12 Nov 2024 19:13:04 +0100 [thread overview]
Message-ID: <2024111230-snowdrop-haven-3a54@gregkh> (raw)
In-Reply-To: <20241112162338.39689-1-chenqiuji666@gmail.com>
On Wed, Nov 13, 2024 at 12:23:38AM +0800, Qiu-ji Chen wrote:
> There is a data race between the functions driver_override_show() and
> driver_override_store(). In the driver_override_store() function, the
> assignment to ret calls driver_set_override(), which frees the old value
> while writing the new value to dev. If a race occurs, it may cause a
> use-after-free (UAF) error in driver_override_show().
>
> To fix this issue, we adopt a logic similar to the driver_override_show()
> function in vmbus_drv.c, protecting dev within a lock to ensure its value
> remains unchanged.
>
> This possible bug is found by an experimental static analysis tool
> developed by our team. This tool analyzes the locking APIs to extract
> function pairs that can be concurrently executed, and then analyzes the
> instructions in the paired functions to identify possible concurrency bugs
> including data races and atomicity violations.
>
> Fixes: 48a6c7bced2a ("cdx: add device attributes")
> Cc: stable@vger.kernel.org
> Signed-off-by: Qiu-ji Chen <chenqiuji666@gmail.com>
> ---
> V2:
> Modified the title and description.
> Removed the changes to cdx_bus_match().
> ---
> drivers/cdx/cdx.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/cdx/cdx.c b/drivers/cdx/cdx.c
> index 07371cb653d3..4af1901c9d52 100644
> --- a/drivers/cdx/cdx.c
> +++ b/drivers/cdx/cdx.c
> @@ -470,8 +470,12 @@ static ssize_t driver_override_show(struct device *dev,
> struct device_attribute *attr, char *buf)
> {
> struct cdx_device *cdx_dev = to_cdx_device(dev);
> + ssize_t len;
>
> - return sysfs_emit(buf, "%s\n", cdx_dev->driver_override);
> + device_lock(dev);
> + len = sysfs_emit(buf, "%s\n", cdx_dev->driver_override);
> + device_unlock(dev);
No, you should not need to lock a device in a sysfs callback like this,
especially for just printing out a string.
greg k-h
next prev parent reply other threads:[~2024-11-12 18:13 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-12 16:23 [PATCH v2] cdx: Fix possible UAF error in driver_override_show() Qiu-ji Chen
2024-11-12 18:13 ` Greg KH [this message]
2025-01-15 4:04 ` Qiu-ji Chen
2025-01-15 7:57 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024111230-snowdrop-haven-3a54@gregkh \
--to=greg@kroah.com \
--cc=baijiaju1990@gmail.com \
--cc=chenqiuji666@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nikhil.agarwal@amd.com \
--cc=nipun.gupta@amd.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox