linux/drivers
Zheyu Ma 829933ef05 firewire: nosy: Fix a use-after-free bug in nosy_ioctl()
For each device, the nosy driver allocates a pcilynx structure.
A use-after-free might happen in the following scenario:

 1. Open nosy device for the first time and call ioctl with command
    NOSY_IOC_START, then a new client A will be malloced and added to
    doubly linked list.
 2. Open nosy device for the second time and call ioctl with command
    NOSY_IOC_START, then a new client B will be malloced and added to
    doubly linked list.
 3. Call ioctl with command NOSY_IOC_START for client A, then client A
    will be readded to the doubly linked list. Now the doubly linked
    list is messed up.
 4. Close the first nosy device and nosy_release will be called. In
    nosy_release, client A will be unlinked and freed.
 5. Close the second nosy device, and client A will be referenced,
    resulting in UAF.

The root cause of this bug is that the element in the doubly linked list
is reentered into the list.

Fix this bug by adding a check before inserting a client.  If a client
is already in the linked list, don't insert it.

The following KASAN report reveals it:

   BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210
   Write of size 8 at addr ffff888102ad7360 by task poc
   CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6
   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
   Call Trace:
     nosy_release+0x1ea/0x210
     __fput+0x1e2/0x840
     task_work_run+0xe8/0x180
     exit_to_user_mode_prepare+0x114/0x120
     syscall_exit_to_user_mode+0x1d/0x40
     entry_SYSCALL_64_after_hwframe+0x44/0xae

   Allocated by task 337:
     nosy_open+0x154/0x4d0
     misc_open+0x2ec/0x410
     chrdev_open+0x20d/0x5a0
     do_dentry_open+0x40f/0xe80
     path_openat+0x1cf9/0x37b0
     do_filp_open+0x16d/0x390
     do_sys_openat2+0x11d/0x360
     __x64_sys_open+0xfd/0x1a0
     do_syscall_64+0x33/0x40
     entry_SYSCALL_64_after_hwframe+0x44/0xae

   Freed by task 337:
     kfree+0x8f/0x210
     nosy_release+0x158/0x210
     __fput+0x1e2/0x840
     task_work_run+0xe8/0x180
     exit_to_user_mode_prepare+0x114/0x120
     syscall_exit_to_user_mode+0x1d/0x40
     entry_SYSCALL_64_after_hwframe+0x44/0xae

   The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128
   The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380)

[ Modified to use 'list_empty()' inside proper lock  - Linus ]

Link: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/
Reported-and-tested-by: 马哲宇 (Zheyu Ma) <zheyuma97@gmail.com>
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Cc: Greg Kroah-Hartman <greg@kroah.com>
Cc: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2021-04-04 14:05:45 -07:00
..
accessibility Char/Misc driver patches for 5.12-rc1 2021-02-24 10:25:37 -08:00
acpi Merge branches 'acpi-tables' and 'acpi-scan' 2021-04-02 16:57:56 +02:00
amba
android
ata
atm module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
auxdisplay auxdisplay: Remove in_interrupt() usage. 2021-03-16 16:32:40 +01:00
base Driver core fix for 5.12-rc6 2021-04-03 10:14:47 -07:00
bcma
block block-5.12-2021-04-02 2021-04-02 16:13:13 -07:00
bluetooth module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
bus Fixes for omaps for v5.12-rc cycle 2021-03-18 23:52:27 +01:00
cdrom
char module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
clk clk: qcom: gcc-sc7180: Use floor ops for the correct sdcc1 clk 2021-03-13 13:00:05 -08:00
clocksource A small set of clockevent fixes which fell through the cracks 2021-02-22 14:11:36 -08:00
connector
counter counter: stm32-timer-cnt: fix ceiling miss-alignment with reload register 2021-03-06 16:48:09 +00:00
cpufreq cpufreq: Fix scaling_{available,boost}_frequencies_show() comments 2021-03-26 17:43:48 +01:00
cpuidle
crypto vio: make remove callback return void 2021-03-02 22:41:23 +11:00
cxl cxl/mem: Fix potential memory leak 2021-02-22 14:44:39 -08:00
dax Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2021-02-27 08:07:12 -08:00
dca
devfreq Merge branches 'pm-devfreq' and 'pm-tools' 2021-02-15 17:02:04 +01:00
dio
dma dmaengine updates for v5.12-rc1 2021-02-23 15:05:10 -08:00
dma-buf dma-fence: allow signaling drivers to set fence timestamp 2021-02-24 21:05:28 +05:30
edac Merge branch 'edac-misc' into edac-updates-for-v5.12 2021-02-15 10:06:58 +01:00
eisa
extcon extcon: Fix error handling in extcon_dev_register 2021-03-15 11:09:38 +09:00
firewire firewire: nosy: Fix a use-after-free bug in nosy_ioctl() 2021-04-04 14:05:45 -07:00
firmware Another couple of EFI fixes for v5.12-rc: 2021-03-19 14:23:46 +01:00
fpga
fsi
gnss
gpio gpiolib: Assign fwnode to parent's if no primary one provided 2021-03-16 10:18:08 +01:00
gpu drm/imx: imx-drm-core and imx-ldb fixes 2021-04-02 04:53:16 +10:00
greybus
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid 2021-02-23 14:52:22 -08:00
hsi
hv mm/memory_hotplug: MEMHP_MERGE_RESOURCE -> MHP_MERGE_RESOURCE 2021-02-26 09:41:00 -08:00
hwmon Devicetree updates for v5.12: 2021-02-22 10:05:12 -08:00
hwspinlock hwspinlock: omap: Add support for K3 AM64x SoCs 2021-02-09 11:36:50 -06:00
hwtracing ARM updates for 5.12-rc1: 2021-02-22 14:27:07 -08:00
i2c i2c: exynos5: Preserve high speed master code 2021-02-26 11:47:42 +01:00
i3c I3C for 5.12 2021-02-22 09:52:55 -08:00
ide ide-5.11-2021-02-28 2021-02-28 15:48:25 -08:00
idle
iio First set of IIO and counter fixes for the 5.12 cycle 2021-03-15 16:34:39 +01:00
infiniband RDMA 5.12 second rc pull request 2021-03-25 11:23:35 -07:00
input module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
interconnect interconnect: Fix kerneldoc warning 2021-03-18 23:46:21 +02:00
iommu iommu/tegra-smmu: Make tegra_smmu_probe_device() to handle all IOMMU phandles 2021-03-18 11:31:12 +01:00
ipack ipack: Handle a driver without remove callback 2021-02-09 09:48:23 +01:00
irqchip irqchip/ingenic: Add support for the JZ4760 2021-03-09 08:45:17 +00:00
isdn isdn: capi: fix mismatched prototypes 2021-03-22 16:51:11 -07:00
leds leds: trigger/tty: Use led_set_brightness_sync() from workqueue 2021-03-10 09:27:56 +01:00
lightnvm lightnvm: pblk: Replace guid_copy() with export_guid()/import_guid() 2021-02-14 21:27:24 -07:00
macintosh
mailbox mailbox: arm_mhuv2: Skip calling kfree() with invalid pointer 2021-02-22 13:34:27 -06:00
mcb
md dm ioctl: fix out of bounds array access when no devices 2021-03-26 14:51:50 -04:00
media module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
memory Char/Misc driver patches for 5.12-rc1 2021-02-24 10:25:37 -08:00
memstick
message
mfd mfd: intel_quark_i2c_gpio: Revert "Constify static struct resources" 2021-03-23 09:14:12 +00:00
misc mei: allow map and unmap of client dma buffer only for disconnected client 2021-03-23 15:15:15 +01:00
mmc mmc: cqhci: Fix random crash when remove mmc module/card 2021-03-09 10:00:52 +01:00
most
mtd module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
mux
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-03-24 18:16:04 -07:00
nfc Char/Misc driver patches for 5.12-rc1 2021-02-24 10:25:37 -08:00
ntb NTB: Add support for EPF PCI Non-Transparent Bridge 2021-02-23 14:12:53 -06:00
nubus
nvdimm libnvdimm + device-dax for 5.12 2021-02-24 09:35:54 -08:00
nvme nvmet-tcp: fix kmap leak when data digest in use 2021-03-18 05:39:18 +01:00
nvmem nvmem: qcom-spmi-sdam: Fix uninitialized pdev pointer 2021-02-05 11:25:52 +01:00
of Char/Misc driver patches for 5.12-rc1 2021-02-24 10:25:37 -08:00
opp opp: Don't drop extra references to OPPs accidentally 2021-03-12 09:26:52 +05:30
parisc
parport module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
pci powerpc fixes for 5.12 #4 2021-03-21 10:57:35 -07:00
pcmcia Merge branch 'pcmcia-next' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux 2021-02-26 13:54:43 -08:00
perf perf/arm_dmc620_pmu: Fix error return code in dmc620_pmu_device_probe() 2021-03-12 11:30:31 +00:00
phy phy: second round of phy fixes for v5.11 2021-02-10 10:39:23 +01:00
pinctrl intel-pinctrl for v5.12-3 2021-03-30 00:46:49 +02:00
platform platform/x86: intel_pmc_core: Ignore GBE LTR on Tiger Lake platforms 2021-03-23 21:50:14 +01:00
pnp
power
powercap powercap/drivers/dtpm: Add the experimental label to the option description 2021-03-01 17:43:29 +01:00
pps
ps3
ptp ptp_qoriq: fix overflow in ptp_qoriq_adjfine() u64 calcalation 2021-03-24 12:10:03 -07:00
pwm pwm: Changes for v5.12-rc1 2021-02-25 12:23:49 -08:00
rapidio
ras
regulator regulator: mt6315: Fix off-by-one for .n_voltages 2021-03-11 13:23:21 +00:00
remoteproc remoteproc: qcom: pas: Add SM8350 PAS remoteprocs 2021-02-11 12:52:18 -06:00
reset RISC-V Patches for the 5.12 Merge Window 2021-02-26 10:28:35 -08:00
rpmsg
rtc Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2021-02-27 08:07:12 -08:00
s390 module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
sbus module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
scsi SCSI fixes on 20210402 2021-04-03 09:07:35 -07:00
sh module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
siox
slimbus
soc OpenRISC fix for 5.12 2021-04-03 15:42:45 -07:00
soundwire ALSA: hda: move Intel SoundWire ACPI scan to dedicated module 2021-03-02 15:33:00 +01:00
spi spi: cadence: set cqspi to the driver_data field of struct device 2021-03-11 13:32:32 +00:00
spmi spmi: spmi-pmic-arb: Fix hw_irq overflow 2021-02-12 12:26:46 +01:00
ssb
staging staging: rtl8192e: Change state information from u16 to u8 2021-03-23 13:32:40 +01:00
target scsi: target: pscsi: Clean up after failure in pscsi_map_sg() 2021-03-24 23:19:23 -04:00
tc
tee module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
thermal thermal/core: Add NULL pointer check before using cooling device stats 2021-03-17 09:55:58 +01:00
thunderbolt thunderbolt: Increase runtime PM reference count on DP tunnel discovery 2021-03-08 14:22:42 +03:00
tty Serial driver fix for 5.12-rc6 2021-04-03 10:00:53 -07:00
uio uio: uio_pci_generic: don't fail probe if pdev->irq equals to IRQ_NOTCONNECTED 2021-02-09 12:25:32 +01:00
usb usb: dwc2: Prevent core suspend when port connection flag is 0 2021-03-26 14:51:34 +01:00
vdpa vdpa_sim: Skip typecasting from void* 2021-03-14 04:37:36 -04:00
vfio vfio/nvlink: Add missing SPAPR_TCE_IOMMU depends 2021-03-29 14:48:00 -06:00
vhost virtio: fixes, cleanups 2021-03-18 11:20:35 -07:00
video hyperv-fixes for 5.12-rc6 2021-04-03 10:42:20 -07:00
virt virt: acrn: Correct type casting of argument of copy_from_user() 2021-03-10 16:59:50 +01:00
virtio virtio: fixes, cleanups 2021-03-18 11:20:35 -07:00
visorbus
vlynq
vme vme: make remove callback return void 2021-02-09 12:15:07 +01:00
w1
watchdog module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
xen xen: branch for v5.12-rc5 2021-03-26 11:15:25 -07:00
zorro
Kconfig cxl/mem: Introduce a driver for CXL-2.0-Type-3 endpoints 2021-02-16 20:36:38 -08:00
Makefile Simple Firmware Interface (SFI) support removal for v5.12-rc1 2021-02-24 10:35:29 -08:00