Re: [PATCH] misc: hpilo: Fix use-after-free in ilo_open

From: Matt Hsiao
Date: Mon Jan 02 2023 - 21:35:46 EST

Next message: Haotien Hsu: "[PATCH v2] ucsi_ccg: Refine the UCSI Interrupt handling"
Previous message: Damien Le Moal: "Re: [PATCH v3 7/8] block, bfq: remove unnecessary goto tag in bfq_dispatch_rq_from_bfqq"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Jan 01, 2023 at 10:19:14AM +0900, Yoochan Lee wrote:
> > And how can this device actually be removed from the system? Is that
> > possible with this hardware?
> HP ILO device is connected by using LAN cable.
> Therefore, the detach function is triggered when the attacker
> physically detaches the LAN cable connected to the HP ILO device.

This is incorrect.

The iLO device is an SoC attached directly on the PCB board.
It cannot be removed like a PCMCIA card that you referred so the
patch cannot apply the same to iLO. This iLO SoC does have a NIC, but
detach the LAN cable connected to it does not remove the SoC itself from
the host CPU.

>
> > And again, this is not the correct solution as you have way too many
> > reference counts happening here. Please become more familiar with how
> > these all work before adding another one and causing more problems like
> > this patch did :(
> Okay, I'll find a better way to patch this bug.
>
> Sincerely,
> Yoochan
>
> 2022년 12월 31일 (토) 오후 10:48, Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>님이 작성:
> >
> > A: http://en.wikipedia.org/wiki/Top_post
> > Q: Were do I find info about this thing called top-posting?
> > A: Because it messes up the order in which people normally read text.
> > Q: Why is top-posting such a bad thing?
> > A: Top-posting.
> > Q: What is the most annoying thing in e-mail?
> >
> > A: No.
> > Q: Should I include quotations after my reply?
> >
> > http://daringfireball.net/2007/07/on_top
> >
> > On Sat, Dec 31, 2022 at 10:06:19PM +0900, Yoochan Lee wrote:
> > > Thanks.
> > >
> > > Since I don't have a real device, it is difficult to verify the bug dynamically.
> > > However, this type of race condition (i.e., b/w remove device and
> > > fops) is prevalently founded recently[1-3].
> > > Therefore, I think this bug can be triggered if a real device exists.
> >
> > And how can this device actually be removed from the system? Is that
> > possible with this hardware?
> >
> > > The main reason for this race condition (i.e., b/w detach and fops) is
> > > there is no proper lock mechanism.
> > > I think the detach device function is delayed until the other
> > > operations (e.g., fops) is finished.
> > > To this end, I use kref to wait for the other operations.
> >
> > And again, this is not the correct solution as you have way too many
> > reference counts happening here. Please become more familiar with how
> > these all work before adding another one and causing more problems like
> > this patch did :(
> >
> > > The tool I am making is currently under development, and it can find
> > > the race condition between detach function and fops.
> >
> > Then you MUST document this as it looks like your tool needs work.
> > Please read Documentation/process/researcher-guidelines.rst for what you
> > MUST do if you use a tool to find "issues" and send out random patches.
> >
> > good luck!
> >
> > greg k-h

Next message: Haotien Hsu: "[PATCH v2] ucsi_ccg: Refine the UCSI Interrupt handling"
Previous message: Damien Le Moal: "Re: [PATCH v3 7/8] block, bfq: remove unnecessary goto tag in bfq_dispatch_rq_from_bfqq"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]