On Tue, Jan 11, 2022 at 01:35:19PM +0100, Greg KH wrote: > On Tue, Jan 11, 2022 at 01:10:51PM +0100, Greg KH wrote: > > On Tue, Jan 11, 2022 at 09:35:11AM +0100, Marcus Meissner wrote: > > > Hi whitehat002, > > > > > > SUSE currently does not build the moxart driver, let me defer you to > > > security@xxxxxxxxxx and the MMC maintainers. > > > > > > i also opened a bug in our bugzilla just for tracking > > > https://bugzilla.suse.com/show_bug.cgi?id=1194516 > > > > > > Ciao, Marcus > > > On Tue, Jan 11, 2022 at 02:30:32PM +0800, whitehat002 whitehat002 wrote: > > > > Hello suse security team, > > > > > > > > There is a UAF in drivers/mmc/host/moxart-mmc.c > > > > This is similar with > > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42933c8aa14be1caa9eda41f65cde8a3a95d3e39 > > > > > > > > > > > > > > > > static int moxart_remove(struct platform_device *pdev) > > > > { > > > > struct mmc_host *mmc = dev_get_drvdata(&pdev->dev); > > > > struct moxart_host *host = mmc_priv(mmc); > > > > > > > > dev_set_drvdata(&pdev->dev, NULL); > > > > > > > > if (!IS_ERR_OR_NULL(host->dma_chan_tx)) > > > > dma_release_channel(host->dma_chan_tx); > > > > if (!IS_ERR_OR_NULL(host->dma_chan_rx)) > > > > dma_release_channel(host->dma_chan_rx); > > > > mmc_remove_host(mmc); > > > > mmc_free_host(mmc); //[0] free > > > > > > > > writel(0, host->base + REG_INTERRUPT_MASK); //[1] host is private data from > > > > mmc_host UAF > > > > writel(0, host->base + REG_POWER_CONTROL); > > > > writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF, > > > > host->base + REG_CLOCK_CONTROL); > > > > > > > > return 0; > > > > } > > > > > > > > Can you write a patch to fix this so that you can get proper credit for > > fixing it as well as finding it? > > Here's a untested patch that "should" be correct, can someone test it > please? > > thanks, > > greg k-h > > > diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c > index 16d1c7a43d33..fe05ae81afd9 100644 > --- a/drivers/mmc/host/moxart-mmc.c > +++ b/drivers/mmc/host/moxart-mmc.c > @@ -704,14 +704,14 @@ static int moxart_remove(struct platform_device *pdev) > dma_release_channel(host->dma_chan_tx); > if (!IS_ERR_OR_NULL(host->dma_chan_rx)) > dma_release_channel(host->dma_chan_rx); > - mmc_remove_host(mmc); > - mmc_free_host(mmc); > - > writel(0, host->base + REG_INTERRUPT_MASK); > writel(0, host->base + REG_POWER_CONTROL); > writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF, > host->base + REG_CLOCK_CONTROL); > > + mmc_remove_host(mmc); > + mmc_free_host(mmc); > + > return 0; > } > I've sent a "better" version of this patch upstream for inclusion now: https://lore.kernel.org/all/20220114075934.302464-1-gregkh@xxxxxxxxxxxxxxxxxxx/ As this path can only be hit if you have root privileges to unload the module, it's not really that much of a "security" issue. thanks, greg k-h
