From: Greg KH <gregkh@linuxfoundation.org>
To: Jiri Kosina <jikos@kernel.org>
Cc: Tzung-Bi Shih <tzungbi@kernel.org>, ksummit@lists.linux.dev
Subject: Re: [TECH TOPIC] Revocable: a mechanism for preventing "classic" use-after-free bugs
Date: Sun, 14 Sep 2025 08:45:44 +0200 [thread overview]
Message-ID: <2025091401-elm-undress-03d6@gregkh> (raw)
In-Reply-To: <9q6poo2r-9589-45n8-037n-q75348021s34@xreary.bet>
On Sun, Sep 14, 2025 at 12:19:47AM +0200, Jiri Kosina wrote:
> On Sat, 13 Sep 2025, Tzung-Bi Shih wrote:
>
> > Abstract
> >
> > A "classic" Use-After-Free (UAF) can occur when resources tied to
> > hot-pluggable devices are accessed after the device has been removed. For
> > example, an open file descriptor may hold references to such resources; if
> > the device is unplugged, subsequent file operations on that descriptor can
> > trigger an UAF. This talk, a follow-up to a previous presentation[1],
> > explores an approach to this challenge.
> >
> > We will present "revocable"[2], a new kernel mechanism for resource
> > management. A revocable allows a resource provider (e.g., a device driver)
> > to invalidate access to a resource from a consumer (e.g., a character device)
> > when the underlying device is no longer available. Once a resource is
> > revoked, any further attempts to use it will fail gracefully, thus preventing
> > the UAF.
> >
> > We will discuss the design and implementation of the revocable mechanism and
> > its application in the ChromeOS Embedded Controller drivers to fix a
> > real-world UAF bug. We hope to also start a discussion on how this generic
> > mechanism could be adopted by other drivers to handle similar resource
> > lifecycle issues.
> >
> > [1] https://lpc.events/event/17/contributions/1627/
> > [2] https://lore.kernel.org/chrome-platform/20250820081645.847919-1-tzungbi@kernel.org/T/#u
>
> I will be honest and admit that I haven't looked at the linked resources
> yet in a big enough detail, but judging purely from the abstract above, I
> believe this will immediately met by "how is this different from
> device-managed (devm_*) resources?", so hinting about that in abstract
> already might be helpful.
It's quite different, devm_ can be built on top of it, like it was done
for the rust implementation for devm_*, so yes, it would be good to say
something about that.
thanks,
greg k-h
next prev parent reply other threads:[~2025-09-14 6:45 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-13 14:49 Tzung-Bi Shih
2025-09-13 22:19 ` Jiri Kosina
2025-09-14 6:45 ` Greg KH [this message]
2025-09-17 5:17 ` Tzung-Bi Shih
2025-09-16 6:56 ` Linus Walleij
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025091401-elm-undress-03d6@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=jikos@kernel.org \
--cc=ksummit@lists.linux.dev \
--cc=tzungbi@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox