tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

firmware loader: fix use-after-free by double abort

fw_priv->buf is accessed in both request_firmware_load() and
writing to sysfs file of 'loading' context, but not protected
by 'fw_lock' entirely. The patch makes sure that access on
'fw_priv->buf' is protected by the lock.

So fixes the double abort problem reported by nirinA raseliarison:

http://lkml.org/lkml/2013/6/14/188

Reported-and-tested-by: nirinA raseliarison <nirina.raseliarison@gmail.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable <stable@vger.kernel.org> # 3.9
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by Ming Lei and committed by Greg Kroah-Hartman 87597936 7d132055

options
unified split
Changed files
+18 -9
drivers
base
firmware_class.c
+18 -9
drivers/base/firmware_class.c
··· 450 450 { 451 451 struct firmware_buf *buf = fw_priv->buf; 452 452 453 + /* 454 + * There is a small window in which user can write to 'loading' 455 + * between loading done and disappearance of 'loading' 456 + */ 457 + if (test_bit(FW_STATUS_DONE, &buf->status)) 458 + return; 459 + 453 460 set_bit(FW_STATUS_ABORT, &buf->status); 454 461 complete_all(&buf->completion); 462 + 463 + /* avoid user action after loading abort */ 464 + fw_priv->buf = NULL; 455 465 } 456 466 457 467 #define is_fw_load_aborted(buf) \ ··· 538 528 struct device_attribute *attr, char *buf) 539 529 { 540 530 struct firmware_priv *fw_priv = to_firmware_priv(dev); 541 - int loading = test_bit(FW_STATUS_LOADING, &fw_priv->buf->status); 531 + int loading = 0; 532 + 533 + mutex_lock(&fw_lock); 534 + if (fw_priv->buf) 535 + loading = test_bit(FW_STATUS_LOADING, &fw_priv->buf->status); 536 + mutex_unlock(&fw_lock); 542 537 543 538 return sprintf(buf, "%d\n", loading); 544 539 } ··· 585 570 const char *buf, size_t count) 586 571 { 587 572 struct firmware_priv *fw_priv = to_firmware_priv(dev); 588 - struct firmware_buf *fw_buf = fw_priv->buf; 573 + struct firmware_buf *fw_buf; 589 574 int loading = simple_strtol(buf, NULL, 10); 590 575 int i; 591 576 592 577 mutex_lock(&fw_lock); 593 - 578 + fw_buf = fw_priv->buf; 594 579 if (!fw_buf) 595 580 goto out; 596 581 ··· 792 777 struct firmware_priv, timeout_work.work); 793 778 794 779 mutex_lock(&fw_lock); 795 - if (test_bit(FW_STATUS_DONE, &(fw_priv->buf->status))) { 796 - mutex_unlock(&fw_lock); 797 - return; 798 - } 799 780 fw_load_abort(fw_priv); 800 781 mutex_unlock(&fw_lock); 801 782 } ··· 871 860 wait_for_completion(&buf->completion); 872 861 873 862 cancel_delayed_work_sync(&fw_priv->timeout_work); 874 - 875 - fw_priv->buf = NULL; 876 863 877 864 device_remove_file(f_dev, &dev_attr_loading); 878 865 err_del_bin_attr: