lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 01 Mar 2007 09:55:06 +0100
From:	Mike Galbraith <efault@....de>
To:	LKML <linux-kernel@...r.kernel.org>
Cc:	a.zummo@...ertech.it
Subject: [patch take 2] Re: linux-2.6.today: rtc_cmos init oops/panic in
	rtc_sysfs_remove_device()

On Tue, 2007-02-27 at 10:25 +0100, Mike Galbraith wrote:
> On Sun, 2007-02-25 at 09:32 +0100, Mike Galbraith wrote:
> 
> > Fix NULL pointer dereference in cmos_rtc registration failure path.
> > 
> > Signed-off-by: Mike Galbraith <efault@....de>
> > 
> > diff --git a/drivers/rtc/class.c b/drivers/rtc/class.c
> > index 7a0d8ee..9201786 100644
> > --- a/drivers/rtc/class.c
> > +++ b/drivers/rtc/class.c
> > @@ -113,10 +113,10 @@ EXPORT_SYMBOL_GPL(rtc_device_register);
> >   */
> >  void rtc_device_unregister(struct rtc_device *rtc)
> >  {
> > +	class_device_unregister(&rtc->class_dev);
> >  	mutex_lock(&rtc->ops_lock);
> >  	rtc->ops = NULL;
> >  	mutex_unlock(&rtc->ops_lock);
> > -	class_device_unregister(&rtc->class_dev);
> >  }
> >  EXPORT_SYMBOL_GPL(rtc_device_unregister);
> 
> However, re-enabling CONFIG_DEBUG_SLAB which somehow got disabled
> emitted the below.
> 
> [   36.765977] rtc_cmos 00:03: rtc intf: sysfs
> [   36.779301] rtc_cmos 00:03: rtc intf: proc
> [   36.792557] rtc_cmos 00:03: rtc intf: dev (239:0)
> [   36.806139] rtc_cmos 00:03: rtc core: registered rtc_cmos as rtc0
> [   36.821017] rtc_cmos 00:03: i/o registers already in use
> [   36.834992] rtc_cmos 00:03: removing char 239:0
> [   36.848268] pnp: Device 00:03 does not support disabling.
> [   36.862282] rtc_cmos: probe of 00:03 failed with error -16
> [   36.876394] md: linear personality registered for level -1
> [   36.890508] md: raid0 personality registered for level 0
> [   36.904563] md: raid1 personality registered for level 1
> [   36.918454] md: raid10 personality registered for level 10
> [   36.949187] raid6: int32x1    722 MB/s
> [   36.978092] raid6: int32x2    800 MB/s
> [   37.006101] raid6: int32x4    917 MB/s
> [   37.034047] raid6: int32x8    671 MB/s
> [   37.062030] raid6: mmxx1     2371 MB/s
> [   37.090000] raid6: mmxx2     3066 MB/s
> [   37.118001] raid6: sse1x1    1449 MB/s
> [   37.145964] raid6: sse1x2    2699 MB/s
> [   37.172947] raid6: sse2x1    2222 MB/s
> [   37.199912] raid6: sse2x2    3375 MB/s
> [   37.210371] raid6: using algorithm sse2x2 (3375 MB/s)
> [   37.222143] md: raid6 personality registered for level 6
> [   37.234127] md: raid5 personality registered for level 5
> [   37.245889] md: raid4 personality registered for level 4
> [   37.257313] raid5: automatically using best checksumming function: pIII_sse
> [   37.274853]    pIII_sse  :  3812.000 MB/sec
> [   37.284947] raid5: using function: pIII_sse (3812.000 MB/sec)
> [   37.296648] md: multipath personality registered for level -4
> [   37.308377] Slab corruption: start=dfede248, len=512
> [   37.319200] Redzone: 0x5a2cf071/0x5a2cf071.
> [   37.329211] Last user: [<c03c8ab2>](rtc_device_release+0x31/0x34)
> [   37.341274] 0b0: 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b 6b 6b 6b 6b
> [   37.353894] Prev obj: start=dfede03c, len=512
> [   37.364285] Redzone: 0x5a2cf071/0x5a2cf071.
> [   37.374409] Last user: [<c0408643>](skb_release_data+0x57/0x79)
> [   37.386402] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> [   37.399116] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> [   37.411788] Next obj: start=dfede454, len=512
> [   37.422309] Redzone: 0x170fc2a5/0x170fc2a5.
> [   37.432642] Last user: [<c0350168>](device_create+0x2b/0xa3)
> [   37.444670] 000: 01 00 00 00 00 00 00 00 5c e4 ed df 5c e4 ed df
> [   37.457532] 010: 73 f2 34 c0 ff f0 34 c0 00 00 00 00 00 00 00 00
> [   37.470429] device-mapper: ioctl: 4.11.0-ioctl (2006-10-12) initialised: dm-devel@...hat.com

Dummy here created a use after free.

Fix NULL pointer dereference in cmos_rtc registration failure path.
Since we're freeing rtc in rtc_device_release(), there should be no need
to NULL rtc->ops.  Anybody who has a reference to the freed rtc after
device release, and uses it, will hopefully explode violently.

Signed-off-by: Mike Galbraith <efault@....de>

diff --git a/drivers/rtc/class.c b/drivers/rtc/class.c
index 7a0d8ee..d338fb8 100644
--- a/drivers/rtc/class.c
+++ b/drivers/rtc/class.c
@@ -113,9 +113,6 @@ EXPORT_SYMBOL_GPL(rtc_device_register);
  */
 void rtc_device_unregister(struct rtc_device *rtc)
 {
-	mutex_lock(&rtc->ops_lock);
-	rtc->ops = NULL;
-	mutex_unlock(&rtc->ops_lock);
 	class_device_unregister(&rtc->class_dev);
 }
 EXPORT_SYMBOL_GPL(rtc_device_unregister);


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ