Re: [PATCH] ACPI: custom_method: fix potential use-after-free issues
From: Rafael J. Wysocki
Date: Fri Dec 30 2022 - 13:32:32 EST
On Tue, Dec 27, 2022 at 7:34 AM Hang Zhang <zh.nvgt@xxxxxxxxx> wrote:
>
> cm_write() is the .write callback of the custom_method debugfs
> interface, it operates on a global pointer "buf" (e.g., dereference,
> allocate, free, and nullification), the problem is that cm_write()
> is not protected by any locks, so concurrent invocations of it
> may cause use-after-free issues for "buf", e.g., one invocation
> may have just freed "buf" while being preempted before nullifying
> the pointer, then another invocation can dereference the now dangling
> "buf" pointer.
>
> Fix the issue by protecting the "buf" operations in cm_write() with
> the inode write lock. Note that the .llseek callback of the debugfs
> interface has been protected by the same lock, this patch basically
> introduces it to the .write callback as well.
The problem is there, but the whole state is not protected from
concurrent use and the fix doesn't look sufficient to me (for example,
a different writer may start writing into the file before the previous
one has finished and the result will still be broken AFAICS).
It looks like the file should be prevented from being opened by more
than one writer at a time.
Or maybe it's time to drop this interface from the kernel altogether.
> Signed-off-by: Hang Zhang <zh.nvgt@xxxxxxxxx>
> ---
> drivers/acpi/custom_method.c | 43 +++++++++++++++++++++++++-----------
> 1 file changed, 30 insertions(+), 13 deletions(-)
>
> diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
> index d39a9b474727..e3de5a06d903 100644
> --- a/drivers/acpi/custom_method.c
> +++ b/drivers/acpi/custom_method.c
> @@ -29,28 +29,38 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf,
> struct acpi_table_header table;
> acpi_status status;
> int ret;
> + struct inode *inode = file_inode(file);
>
> ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
> if (ret)
> return ret;
>
> + inode_lock(inode);
> if (!(*ppos)) {
> /* parse the table header to get the table length */
> - if (count <= sizeof(struct acpi_table_header))
> - return -EINVAL;
> + if (count <= sizeof(struct acpi_table_header)) {
> + ret = -EINVAL;
> + goto err;
> + }
> if (copy_from_user(&table, user_buf,
> - sizeof(struct acpi_table_header)))
> - return -EFAULT;
> + sizeof(struct acpi_table_header))) {
> + ret = -EFAULT;
> + goto err;
> + }
> uncopied_bytes = max_size = table.length;
> /* make sure the buf is not allocated */
> kfree(buf);
> buf = kzalloc(max_size, GFP_KERNEL);
> - if (!buf)
> - return -ENOMEM;
> + if (!buf) {
> + ret = -ENOMEM;
> + goto err;
> + }
> }
>
> - if (buf == NULL)
> - return -EINVAL;
> + if (buf == NULL) {
> + ret = -EINVAL;
> + goto err;
> + }
>
> if ((*ppos > max_size) ||
> (*ppos + count > max_size) ||
> @@ -58,13 +68,15 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf,
> (count > uncopied_bytes)) {
> kfree(buf);
> buf = NULL;
> - return -EINVAL;
> + ret = -EINVAL;
> + goto err;
> }
>
> if (copy_from_user(buf + (*ppos), user_buf, count)) {
> kfree(buf);
> buf = NULL;
> - return -EFAULT;
> + ret = -EFAULT;
> + goto err;
> }
>
> uncopied_bytes -= count;
> @@ -74,12 +86,17 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf,
> status = acpi_install_method(buf);
> kfree(buf);
> buf = NULL;
> - if (ACPI_FAILURE(status))
> - return -EINVAL;
> + if (ACPI_FAILURE(status)) {
> + ret = -EINVAL;
> + goto err;
> + }
> add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE);
> }
>
> - return count;
> + ret = count;
> +err:
> + inode_unlock(inode);
> + return ret;
> }
>
> static const struct file_operations cm_fops = {
> --
> 2.39.0
>