Re: [PATCH v2] char: xillybus: Prevent use-after-free due to race condition

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 13/11/2022 10:05, Hyunwoo Kim wrote:
Dear,

Sorry for the late review.

This patch cannot prevent the UAF scenario I presented:
```
                 cpu0                                                cpu1
        1. xillyusb_open()
           mutex_lock(&kref_mutex);    // unaffected lock
           xillybus_find_inode()
           mutex_lock(&unit_mutex);
           unit = iter;
           mutex_unlock(&unit_mutex);
                                                              2. xillyusb_disconnect()
                                                                 xillybus_cleanup_chrdev()
                                                                 mutex_lock(&unit_mutex);
                                                                 kfree(unit);
                                                                 mutex_unlock(&unit_mutex);
        3. *private_data = unit->private_data;   // UAF

```

This is a UAF for 'unit', not a UAF for 'xdev'.
So, the added 'kref_mutex' has no effect.


You're correct. This submitted patch solves only one problem out of two. It prevents the content of @private_data to be freed, but you're right that @unit itself isn't protected well enough.

The problem you're pointing at is that @unit can be freed before its attempted use, because the mutex is released too early.

This is easily solved by moving down the mutex_unlock() call to after @unit has been used. Do you want the pleasure to submit this patch, or should I?

Thanks,
  Eli



[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux