ACK: [SRU][X][PATCH 1/1] pinctrl: devicetree: Avoid taking direct reference to device name string

Andrea Righi andrea.righi at canonical.com
Thu Oct 22 07:26:18 UTC 2020 

On Wed, Oct 21, 2020 at 02:43:51PM -0400, Khalid Elmously wrote:
> From: Will Deacon <will at kernel.org>
> 
> CVE-2020-0427
> 
> When populating the pinctrl mapping table entries for a device, the
> 'dev_name' field for each entry is initialised to point directly at the
> string returned by 'dev_name()' for the device and subsequently used by
> 'create_pinctrl()' when looking up the mappings for the device being
> probed.
> 
> This is unreliable in the presence of calls to 'dev_set_name()', which may
> reallocate the device name string leaving the pinctrl mappings with a
> dangling reference. This then leads to a use-after-free every time the
> name is dereferenced by a device probe:
> 
>   | BUG: KASAN: invalid-access in strcmp+0x20/0x64
>   | Read of size 1 at addr 13ffffc153494b00 by task modprobe/590
>   | Pointer tag: [13], memory tag: [fe]
>   |
>   | Call trace:
>   |  __kasan_report+0x16c/0x1dc
>   |  kasan_report+0x10/0x18
>   |  check_memory_region
>   |  __hwasan_load1_noabort+0x4c/0x54
>   |  strcmp+0x20/0x64
>   |  create_pinctrl+0x18c/0x7f4
>   |  pinctrl_get+0x90/0x114
>   |  devm_pinctrl_get+0x44/0x98
>   |  pinctrl_bind_pins+0x5c/0x450
>   |  really_probe+0x1c8/0x9a4
>   |  driver_probe_device+0x120/0x1d8
> 
> Follow the example of sysfs, and duplicate the device name string before
> stashing it away in the pinctrl mapping entries.
> 
> Cc: Linus Walleij <linus.walleij at linaro.org>
> Reported-by: Elena Petrova <lenaptr at google.com>
> Tested-by: Elena Petrova <lenaptr at google.com>
> Signed-off-by: Will Deacon <will at kernel.org>
> Link: https://lore.kernel.org/r/20191002124206.22928-1-will@kernel.org
> Signed-off-by: Linus Walleij <linus.walleij at linaro.org>
> (backported from commit be4c60b563edee3712d392aaeb0943a768df7023)
> [ kmously: Extra dev_err() in dt_remember_or_free_map() required
>  manual merging ]
> Signed-off-by: Khalid Elmously <khalid.elmously at canonical.com>

Acked-by: Andrea Righi <andrea.righi at canonical.com>

More information about the kernel-team mailing list