From patchwork Fri Nov 3 08:01:31 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 833699 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3ySvYL0pX5z9sNw; Fri, 3 Nov 2017 19:01:42 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1eAWv2-0004fV-Pd; Fri, 03 Nov 2017 08:01:36 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1eAWv1-0004fO-3K for kernel-team@lists.ubuntu.com; Fri, 03 Nov 2017 08:01:35 +0000 Received: from mail-wr0-f198.google.com ([209.85.128.198]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1eAWv0-0004ya-Qv for kernel-team@lists.ubuntu.com; Fri, 03 Nov 2017 08:01:34 +0000 Received: by mail-wr0-f198.google.com with SMTP id c42so1166519wrc.13 for ; Fri, 03 Nov 2017 01:01:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=uA8ZYgzx0L3WzDY71p74xmEAxIDhYA4DUiVZH6kEkEw=; b=Us/Rf8qX6b04Bx5EePjEd9Ac0E8yYECHJK8HFM7XTHovUta2KXpZ8L0Mgk1X86I2Iz QOioeXlzbIpFYx1zsrYePVHQyO+YSXkTNZAk1EHysZkOc8J69c80U0vqw8bccGz7QVFb IVAcSkVZRsIthnAMOSa++EEWYV3MteCY8Sxi9JJt8zykxeclsBZDWmNrVyWpAyP4c7+B FiBjwewOcNM1nhVrq5W7p/MUNpPWoAuaoRYSm+i8eJ1IIn3dTPnb5zgWahxACljoTGsq BPbSwlZ7mw3pn0gQr4L3nqf5Ue4r3zYbDe6hls/fqOKfdFzqvY8ZNGoKzK/o3NQUKroZ fFKQ== X-Gm-Message-State: AMCzsaVibmfInka3fdxs+Pp01Cg/n4aD9XJB0ChUqXduoPuRxXwCknzW 3qTDo424nOZ9tYVJtS1tDkjTmpA6RIp5xZ9cdqhTf/FS9DBfQituUkmhuzUnO0yTNE74hhcS8pM 7Ti5V+gtKEP0mA//yp3dMu5Xjoqioy6rgua/lfpfNAg== X-Received: by 10.80.179.17 with SMTP id q17mr7648369edd.270.1509696094256; Fri, 03 Nov 2017 01:01:34 -0700 (PDT) X-Google-Smtp-Source: ABhQp+RT9OT241c1AEDxrxQXAdPw+C6/JFcO2rU4Voo5ZK9UP+om2jSPpGmol89WbAdOBguLK9Cybw== X-Received: by 10.80.179.17 with SMTP id q17mr7648358edd.270.1509696094015; Fri, 03 Nov 2017 01:01:34 -0700 (PDT) Received: from localhost ([2a02:8109:a540:7e8:8926:2094:ede9:dddc]) by smtp.gmail.com with ESMTPSA id b9sm4863861edc.81.2017.11.03.01.01.32 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 03 Nov 2017 01:01:33 -0700 (PDT) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [SRU][Zesty][PATCH][CVE-2017-12146] driver core: platform: fix race condition with driver_override Date: Fri, 3 Nov 2017 09:01:31 +0100 Message-Id: <20171103080131.25473-1-kleber.souza@canonical.com> X-Mailer: git-send-email 2.14.1 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Adrian Salido CVE-2017-12146 The driver_override implementation is susceptible to race condition when different threads are reading vs storing a different driver override. Add locking to avoid race condition. Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'") Cc: stable@vger.kernel.org Signed-off-by: Adrian Salido Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 6265539776a0810b7ce6398c27866ddb9c6bd154) Signed-off-by: Kleber Sacilotto de Souza Acked-by: Stefan Bader Acked-by: Colin Ian King --- drivers/base/platform.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/base/platform.c b/drivers/base/platform.c index 647e4761dbf3..4ce2f9daa62a 100644 --- a/drivers/base/platform.c +++ b/drivers/base/platform.c @@ -866,7 +866,7 @@ static ssize_t driver_override_store(struct device *dev, const char *buf, size_t count) { struct platform_device *pdev = to_platform_device(dev); - char *driver_override, *old = pdev->driver_override, *cp; + char *driver_override, *old, *cp; if (count > PATH_MAX) return -EINVAL; @@ -879,12 +879,15 @@ static ssize_t driver_override_store(struct device *dev, if (cp) *cp = '\0'; + device_lock(dev); + old = pdev->driver_override; if (strlen(driver_override)) { pdev->driver_override = driver_override; } else { kfree(driver_override); pdev->driver_override = NULL; } + device_unlock(dev); kfree(old); @@ -895,8 +898,12 @@ static ssize_t driver_override_show(struct device *dev, struct device_attribute *attr, char *buf) { struct platform_device *pdev = to_platform_device(dev); + ssize_t len; - return sprintf(buf, "%s\n", pdev->driver_override); + device_lock(dev); + len = sprintf(buf, "%s\n", pdev->driver_override); + device_unlock(dev); + return len; } static DEVICE_ATTR_RW(driver_override);