| Message ID | 20171103080131.25473-1-kleber.souza@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,Zesty,CVE-2017-12146] driver core: platform: fix race condition with driver_override | expand |
On 03.11.2017 09:01, Kleber Sacilotto de Souza wrote: > From: Adrian Salido <salidoa@google.com> > > CVE-2017-12146 > > The driver_override implementation is susceptible to race condition when > different threads are reading vs storing a different driver override. > Add locking to avoid race condition. > > Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'") > Cc: stable@vger.kernel.org > Signed-off-by: Adrian Salido <salidoa@google.com> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit 6265539776a0810b7ce6398c27866ddb9c6bd154) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > drivers/base/platform.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > > diff --git a/drivers/base/platform.c b/drivers/base/platform.c > index 647e4761dbf3..4ce2f9daa62a 100644 > --- a/drivers/base/platform.c > +++ b/drivers/base/platform.c > @@ -866,7 +866,7 @@ static ssize_t driver_override_store(struct device *dev, > const char *buf, size_t count) > { > struct platform_device *pdev = to_platform_device(dev); > - char *driver_override, *old = pdev->driver_override, *cp; > + char *driver_override, *old, *cp; > > if (count > PATH_MAX) > return -EINVAL; > @@ -879,12 +879,15 @@ static ssize_t driver_override_store(struct device *dev, > if (cp) > *cp = '\0'; > > + device_lock(dev); > + old = pdev->driver_override; > if (strlen(driver_override)) { > pdev->driver_override = driver_override; > } else { > kfree(driver_override); > pdev->driver_override = NULL; > } > + device_unlock(dev); > > kfree(old); > > @@ -895,8 +898,12 @@ static ssize_t driver_override_show(struct device *dev, > struct device_attribute *attr, char *buf) > { > struct platform_device *pdev = to_platform_device(dev); > + ssize_t len; > > - return sprintf(buf, "%s\n", pdev->driver_override); > + device_lock(dev); > + len = sprintf(buf, "%s\n", pdev->driver_override); > + device_unlock(dev); > + return len; > } > static DEVICE_ATTR_RW(driver_override); > >
On 03/11/17 08:01, Kleber Sacilotto de Souza wrote: > From: Adrian Salido <salidoa@google.com> > > CVE-2017-12146 > > The driver_override implementation is susceptible to race condition when > different threads are reading vs storing a different driver override. > Add locking to avoid race condition. > > Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'") > Cc: stable@vger.kernel.org > Signed-off-by: Adrian Salido <salidoa@google.com> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit 6265539776a0810b7ce6398c27866ddb9c6bd154) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > drivers/base/platform.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > > diff --git a/drivers/base/platform.c b/drivers/base/platform.c > index 647e4761dbf3..4ce2f9daa62a 100644 > --- a/drivers/base/platform.c > +++ b/drivers/base/platform.c > @@ -866,7 +866,7 @@ static ssize_t driver_override_store(struct device *dev, > const char *buf, size_t count) > { > struct platform_device *pdev = to_platform_device(dev); > - char *driver_override, *old = pdev->driver_override, *cp; > + char *driver_override, *old, *cp; > > if (count > PATH_MAX) > return -EINVAL; > @@ -879,12 +879,15 @@ static ssize_t driver_override_store(struct device *dev, > if (cp) > *cp = '\0'; > > + device_lock(dev); > + old = pdev->driver_override; > if (strlen(driver_override)) { > pdev->driver_override = driver_override; > } else { > kfree(driver_override); > pdev->driver_override = NULL; > } > + device_unlock(dev); > > kfree(old); > > @@ -895,8 +898,12 @@ static ssize_t driver_override_show(struct device *dev, > struct device_attribute *attr, char *buf) > { > struct platform_device *pdev = to_platform_device(dev); > + ssize_t len; > > - return sprintf(buf, "%s\n", pdev->driver_override); > + device_lock(dev); > + len = sprintf(buf, "%s\n", pdev->driver_override); > + device_unlock(dev); > + return len; > } > static DEVICE_ATTR_RW(driver_override); > > Clean upstream cherry pick, looks sane to me. Acked-by: Colin Ian King <colin.king@canonical.com>
On 03.11.2017 09:01, Kleber Sacilotto de Souza wrote: > From: Adrian Salido <salidoa@google.com> > > CVE-2017-12146 > > The driver_override implementation is susceptible to race condition when > different threads are reading vs storing a different driver override. > Add locking to avoid race condition. > > Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'") > Cc: stable@vger.kernel.org > Signed-off-by: Adrian Salido <salidoa@google.com> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit 6265539776a0810b7ce6398c27866ddb9c6bd154) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > drivers/base/platform.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > > diff --git a/drivers/base/platform.c b/drivers/base/platform.c > index 647e4761dbf3..4ce2f9daa62a 100644 > --- a/drivers/base/platform.c > +++ b/drivers/base/platform.c > @@ -866,7 +866,7 @@ static ssize_t driver_override_store(struct device *dev, > const char *buf, size_t count) > { > struct platform_device *pdev = to_platform_device(dev); > - char *driver_override, *old = pdev->driver_override, *cp; > + char *driver_override, *old, *cp; > > if (count > PATH_MAX) > return -EINVAL; > @@ -879,12 +879,15 @@ static ssize_t driver_override_store(struct device *dev, > if (cp) > *cp = '\0'; > > + device_lock(dev); > + old = pdev->driver_override; > if (strlen(driver_override)) { > pdev->driver_override = driver_override; > } else { > kfree(driver_override); > pdev->driver_override = NULL; > } > + device_unlock(dev); > > kfree(old); > > @@ -895,8 +898,12 @@ static ssize_t driver_override_show(struct device *dev, > struct device_attribute *attr, char *buf) > { > struct platform_device *pdev = to_platform_device(dev); > + ssize_t len; > > - return sprintf(buf, "%s\n", pdev->driver_override); > + device_lock(dev); > + len = sprintf(buf, "%s\n", pdev->driver_override); > + device_unlock(dev); > + return len; > } > static DEVICE_ATTR_RW(driver_override); > > Applied to zesty/master-next. Thanks.
diff --git a/drivers/base/platform.c b/drivers/base/platform.c index 647e4761dbf3..4ce2f9daa62a 100644 --- a/drivers/base/platform.c +++ b/drivers/base/platform.c @@ -866,7 +866,7 @@ static ssize_t driver_override_store(struct device *dev, const char *buf, size_t count) { struct platform_device *pdev = to_platform_device(dev); - char *driver_override, *old = pdev->driver_override, *cp; + char *driver_override, *old, *cp; if (count > PATH_MAX) return -EINVAL; @@ -879,12 +879,15 @@ static ssize_t driver_override_store(struct device *dev, if (cp) *cp = '\0'; + device_lock(dev); + old = pdev->driver_override; if (strlen(driver_override)) { pdev->driver_override = driver_override; } else { kfree(driver_override); pdev->driver_override = NULL; } + device_unlock(dev); kfree(old); @@ -895,8 +898,12 @@ static ssize_t driver_override_show(struct device *dev, struct device_attribute *attr, char *buf) { struct platform_device *pdev = to_platform_device(dev); + ssize_t len; - return sprintf(buf, "%s\n", pdev->driver_override); + device_lock(dev); + len = sprintf(buf, "%s\n", pdev->driver_override); + device_unlock(dev); + return len; } static DEVICE_ATTR_RW(driver_override);