kernel/linux.git/drivers/firewire/nosy.c, branch v4.14.286

firewire: nosy: Fix a use-after-free bug in nosy_ioctl()

2021-04-07T10:47:03+00:00

[ Upstream commit 829933ef05a951c8ff140e814656d73e74915faf ] For each device, the nosy driver allocates a pcilynx structure. A use-after-free might happen in the following scenario: 1. Open nosy device for the first time and call ioctl with command NOSY_IOC_START, then a new client A will be malloced and added to doubly linked list. 2. Open nosy device for the second time and call ioctl with command NOSY_IOC_START, then a new client B will be malloced and added to doubly linked list. 3. Call ioctl with command NOSY_IOC_START for client A, then client A will be readded to the doubly linked list. Now the doubly linked list is messed up. 4. Close the first nosy device and nosy_release will be called. In nosy_release, client A will be unlinked and freed. 5. Close the second nosy device, and client A will be referenced, resulting in UAF. The root cause of this bug is that the element in the doubly linked list is reentered into the list. Fix this bug by adding a check before inserting a client. If a client is already in the linked list, don't insert it. The following KASAN report reveals it: BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210 Write of size 8 at addr ffff888102ad7360 by task poc CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: nosy_release+0x1ea/0x210 __fput+0x1e2/0x840 task_work_run+0xe8/0x180 exit_to_user_mode_prepare+0x114/0x120 syscall_exit_to_user_mode+0x1d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae Allocated by task 337: nosy_open+0x154/0x4d0 misc_open+0x2ec/0x410 chrdev_open+0x20d/0x5a0 do_dentry_open+0x40f/0xe80 path_openat+0x1cf9/0x37b0 do_filp_open+0x16d/0x390 do_sys_openat2+0x11d/0x360 __x64_sys_open+0xfd/0x1a0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 337: kfree+0x8f/0x210 nosy_release+0x158/0x210 __fput+0x1e2/0x840 task_work_run+0xe8/0x180 exit_to_user_mode_prepare+0x114/0x120 syscall_exit_to_user_mode+0x1d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380) [ Modified to use 'list_empty()' inside proper lock - Linus ] Link: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/ Reported-and-tested-by: 马哲宇 (Zheyu Ma) Signed-off-by: Zheyu Ma Cc: Greg Kroah-Hartman Cc: Stefan Richter Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin

firewire: nosy: do not ignore errors in ioremap_nocache()

2016-10-09T09:38:11+00:00

There is no check if ioremap_nocache() returns a valid pointer. Potentially it can lead to null pointer dereference. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Signed-off-by: Stefan Richter (renamed goto labels)

firewire: nosy: Replace timeval with timespec64

2016-03-22T14:14:30+00:00

'struct timeval' uses a 32 bit field for its 'seconds' value which will overflow in year 2038 and beyond. This patch replaces the use of timeval in nosy.c with timespec64 which doesn't suffer from y2038 issue. The code is correct as is - since it is only using the microseconds portion of timeval. However, this patch does the replacement as part of a larger effort to remove all instances of 'struct timeval' from the kernel (that would help identify cases where the code is actually broken). Signed-off-by: Tina Ruchandani Reviewed-by: Arnd Bergmann Signed-off-by: Stefan Richter

firewire: nosy: Replace timeval with timespec64

2015-11-05T13:21:22+00:00

32 bit systems using 'struct timeval' will break in the year 2038, so we replace the code appropriately. However, this driver is not broken in 2038 since we are using only the microseconds portion of the current time. This patch replaces timeval with timespec64. Signed-off-by: Amitoj Kaur Chawla Reviewed-by: Arnd Bergmann Signed-off-by: Stefan Richter

firewire: remove use of __devinitdata

2012-11-28T20:40:42+00:00

CONFIG_HOTPLUG is going away as an option so __devinitdata is no longer needed. Signed-off-by: Bill Pemberton Acked-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman

firewire: remove use of __devinit

2012-11-28T20:40:42+00:00

CONFIG_HOTPLUG is going away as an option so __devinit is no longer needed. Signed-off-by: Bill Pemberton Acked-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman

firewire: use module_pci_driver

2012-04-09T12:23:37+00:00

This patch converts the drivers in drivers/firewire/* to use module_pci_driver() macro which makes the code smaller and a bit simpler. Signed-off-by: Axel Lin Signed-off-by: Stefan Richter

firewire: nosy: Use the macro DMA_BIT_MASK().

2012-02-22T21:36:01+00:00

Use the macro DMA_BIT_MASK instead of the constant 0xffffffff Signed-off-by: Santosh Nayak Signed-off-by: Stefan Richter

atomic: use

2011-07-26T23:49:47+00:00

This allows us to move duplicated code in (atomic_inc_not_zero() for now) to Signed-off-by: Arun Sharma Reviewed-by: Eric Dumazet Cc: Ingo Molnar Cc: David Miller Cc: Eric Dumazet Acked-by: Mike Frysinger Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

firewire: nosy: char device is not seekable

2010-12-12T14:47:02+00:00

Amend .open handler accordingly and remove the .llseek handler. .llseek = NULL means no_llseek (return error) since commit 776c163b1b93. The only client that uses this interface is nosy-dump in linux/tools/firewire and it knows not to seek in this char dev. Signed-off-by: Stefan Richter