drivers/char/pcmcia/scr24x_cs.c | 72 +++++++++++++++++++++++---------- 1 file changed, 51 insertions(+), 21 deletions(-)
A race condition may occur if the user physically removes the
pcmcia device while calling open() for this char device node.
This is a race condition between the scr24x_open() function and
the scr24x_remove() function, which may eventually result in UAF.
So, add a mutex to the scr24x_open() and scr24x_remove() functions
to avoid race contidion of krefs.
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
---
drivers/char/pcmcia/scr24x_cs.c | 72 +++++++++++++++++++++++----------
1 file changed, 51 insertions(+), 21 deletions(-)
diff --git a/drivers/char/pcmcia/scr24x_cs.c b/drivers/char/pcmcia/scr24x_cs.c
index 1bdce08fae3d..57fe08b3c03a 100644
--- a/drivers/char/pcmcia/scr24x_cs.c
+++ b/drivers/char/pcmcia/scr24x_cs.c
@@ -33,6 +33,7 @@
struct scr24x_dev {
struct device *dev;
+ struct pcmcia_device *p_dev;
struct cdev c_dev;
unsigned char buf[CCID_MAX_LEN];
int devno;
@@ -42,15 +43,31 @@ struct scr24x_dev {
};
#define SCR24X_DEVS 8
-static DECLARE_BITMAP(scr24x_minors, SCR24X_DEVS);
+static struct pcmcia_device *dev_table[SCR24X_DEVS];
+static DEFINE_MUTEX(remove_mutex);
static struct class *scr24x_class;
static dev_t scr24x_devt;
static void scr24x_delete(struct kref *kref)
{
- struct scr24x_dev *dev = container_of(kref, struct scr24x_dev,
- refcnt);
+ struct scr24x_dev *dev = container_of(kref, struct scr24x_dev, refcnt);
+ struct pcmcia_device *link = dev->p_dev;
+ int devno;
+
+ for (devno = 0; devno < SCR24X_DEVS; devno++) {
+ if (dev_table[devno] == link)
+ break;
+ }
+ if (devno == SCR24X_DEVS)
+ return;
+
+ device_destroy(scr24x_class, MKDEV(MAJOR(scr24x_devt), dev->devno));
+ mutex_lock(&dev->lock);
+ pcmcia_disable_device(link);
+ cdev_del(&dev->c_dev);
+ dev->dev = NULL;
+ mutex_unlock(&dev->lock);
kfree(dev);
}
@@ -73,11 +90,23 @@ static int scr24x_wait_ready(struct scr24x_dev *dev)
static int scr24x_open(struct inode *inode, struct file *filp)
{
- struct scr24x_dev *dev = container_of(inode->i_cdev,
- struct scr24x_dev, c_dev);
+ struct scr24x_dev *dev;
+ struct pcmcia_device *link;
+ int minor = iminor(inode);
+
+ if (minor >= SCR24X_DEVS)
+ return -ENODEV;
+
+ mutex_lock(&remove_mutex);
+ link = dev_table[minor];
+ if (link == NULL) {
+ mutex_unlock(&remove_mutex);
+ return -ENODEV;
+ }
kref_get(&dev->refcnt);
filp->private_data = dev;
+ mutex_unlock(&remove_mutex);
return stream_open(inode, filp);
}
@@ -232,24 +261,31 @@ static int scr24x_config_check(struct pcmcia_device *link, void *priv_data)
static int scr24x_probe(struct pcmcia_device *link)
{
struct scr24x_dev *dev;
- int ret;
+ int i, ret;
+
+ for (i = 0; i < SCR24X_DEVS; i++) {
+ if (dev_table[i] == NULL)
+ break;
+ }
+
+ if (i == SCR24X_DEVS)
+ return -ENODEV;
dev = kzalloc(sizeof(*dev), GFP_KERNEL);
if (!dev)
return -ENOMEM;
- dev->devno = find_first_zero_bit(scr24x_minors, SCR24X_DEVS);
- if (dev->devno >= SCR24X_DEVS) {
- ret = -EBUSY;
- goto err;
- }
+ dev->devno = i;
mutex_init(&dev->lock);
kref_init(&dev->refcnt);
link->priv = dev;
+ dev->p_dev = link;
link->config_flags |= CONF_ENABLE_IRQ | CONF_AUTO_SET_IO;
+ dev_table[i] = link;
+
ret = pcmcia_loop_config(link, scr24x_config_check, NULL);
if (ret < 0)
goto err;
@@ -282,8 +318,8 @@ static int scr24x_probe(struct pcmcia_device *link)
return 0;
err:
- if (dev->devno < SCR24X_DEVS)
- clear_bit(dev->devno, scr24x_minors);
+ dev_table[i] = NULL;
+
kfree (dev);
return ret;
}
@@ -292,15 +328,9 @@ static void scr24x_remove(struct pcmcia_device *link)
{
struct scr24x_dev *dev = (struct scr24x_dev *)link->priv;
- device_destroy(scr24x_class, MKDEV(MAJOR(scr24x_devt), dev->devno));
- mutex_lock(&dev->lock);
- pcmcia_disable_device(link);
- cdev_del(&dev->c_dev);
- clear_bit(dev->devno, scr24x_minors);
- dev->dev = NULL;
- mutex_unlock(&dev->lock);
-
+ mutex_lock(&remove_mutex);
kref_put(&dev->refcnt, scr24x_delete);
+ mutex_unlock(&remove_mutex);
}
static const struct pcmcia_device_id scr24x_ids[] = {
--
2.25.1
Dear,
I fixed the wrong patch referencing "dev" after kref_put() in the previous version of the patch.
Regards,
Hyunwoo Kim.Hi Hyunwoo,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on char-misc/char-misc-testing]
[also build test WARNING on linus/master v6.0-rc6 next-20220916]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Hyunwoo-Kim/char-pcmcia-scr24x_cs-Fix-use-after-free-in-scr24x_fops/20220919-121035
base: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git ceecbbddbf549fe0b7ffa3804a6e255b3360030f
config: hexagon-randconfig-r041-20220919 (https://download.01.org/0day-ci/archive/20220919/202209191730.mhZmYKD3-lkp@intel.com/config)
compiler: clang version 16.0.0 (https://github.com/llvm/llvm-project 791a7ae1ba3efd6bca96338e10ffde557ba83920)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/823ffd6f522e65ce9730fe5bc2ea59221adee881
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Hyunwoo-Kim/char-pcmcia-scr24x_cs-Fix-use-after-free-in-scr24x_fops/20220919-121035
git checkout 823ffd6f522e65ce9730fe5bc2ea59221adee881
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=hexagon SHELL=/bin/bash drivers/char/pcmcia/
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
>> drivers/char/pcmcia/scr24x_cs.c:107:12: warning: variable 'dev' is uninitialized when used here [-Wuninitialized]
kref_get(&dev->refcnt);
^~~
drivers/char/pcmcia/scr24x_cs.c:93:24: note: initialize the variable 'dev' to silence this warning
struct scr24x_dev *dev;
^
= NULL
1 warning generated.
vim +/dev +107 drivers/char/pcmcia/scr24x_cs.c
f2ed287bcc9073 Lubomir Rintel 2016-10-25 90
f2ed287bcc9073 Lubomir Rintel 2016-10-25 91 static int scr24x_open(struct inode *inode, struct file *filp)
f2ed287bcc9073 Lubomir Rintel 2016-10-25 92 {
823ffd6f522e65 Hyunwoo Kim 2022-09-18 93 struct scr24x_dev *dev;
823ffd6f522e65 Hyunwoo Kim 2022-09-18 94 struct pcmcia_device *link;
823ffd6f522e65 Hyunwoo Kim 2022-09-18 95 int minor = iminor(inode);
823ffd6f522e65 Hyunwoo Kim 2022-09-18 96
823ffd6f522e65 Hyunwoo Kim 2022-09-18 97 if (minor >= SCR24X_DEVS)
823ffd6f522e65 Hyunwoo Kim 2022-09-18 98 return -ENODEV;
823ffd6f522e65 Hyunwoo Kim 2022-09-18 99
823ffd6f522e65 Hyunwoo Kim 2022-09-18 100 mutex_lock(&remove_mutex);
823ffd6f522e65 Hyunwoo Kim 2022-09-18 101 link = dev_table[minor];
823ffd6f522e65 Hyunwoo Kim 2022-09-18 102 if (link == NULL) {
823ffd6f522e65 Hyunwoo Kim 2022-09-18 103 mutex_unlock(&remove_mutex);
823ffd6f522e65 Hyunwoo Kim 2022-09-18 104 return -ENODEV;
823ffd6f522e65 Hyunwoo Kim 2022-09-18 105 }
f2ed287bcc9073 Lubomir Rintel 2016-10-25 106
f2ed287bcc9073 Lubomir Rintel 2016-10-25 @107 kref_get(&dev->refcnt);
f2ed287bcc9073 Lubomir Rintel 2016-10-25 108 filp->private_data = dev;
823ffd6f522e65 Hyunwoo Kim 2022-09-18 109 mutex_unlock(&remove_mutex);
f2ed287bcc9073 Lubomir Rintel 2016-10-25 110
c5bf68fe0c86a5 Kirill Smelkov 2019-03-26 111 return stream_open(inode, filp);
f2ed287bcc9073 Lubomir Rintel 2016-10-25 112 }
f2ed287bcc9073 Lubomir Rintel 2016-10-25 113
--
0-DAY CI Kernel Test Service
https://01.org/lkp
© 2016 - 2026 Red Hat, Inc.