lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 25 Jul 2013 19:16:28 +0100
From:	Gustavo Padovan <gustavo@...ovan.org>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	linux-kernel@...r.kernel.org,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	channing <chao.bi@...el.com>, Pavan Savoy <pavan_savoy@...com>
Subject: Re: [PATCH] ti-st: fix NULL dereference on protocol type check

* Andrew Morton <akpm@...ux-foundation.org> [2013-07-24 16:12:22 -0700]:

> On Tue, 23 Jul 2013 15:29:31 +0100 Gustavo Padovan <gustavo@...ovan.org> wrote:
> 
> > From: Gustavo Padovan <gustavo.padovan@...labora.co.uk>
> > 
> > If the type we receive is greater than ST_MAX_CHANNELS we can't rely on
> > type as vector index since we would be accessing unknown memory when we use the type
> > as index.
> > 
> >  Unable to handle kernel NULL pointer dereference at virtual address 0000001b
> >  pgd = c0004000
> >  [0000001b] *pgd=00000000
> >  Internal error: Oops: 17 [#1] PREEMPT SMP ARM
> >  Modules linked in: btwilink wl12xx wlcore mac80211 cfg80211 rfcomm bnep bluo
> >  CPU: 0    Tainted: G        W     (3.4.0+ #15)
> >  PC is at st_int_recv+0x278/0x344
> >  LR is at get_parent_ip+0x14/0x30
> >  pc : [<c03b01a8>]    lr : [<c007273c>]    psr: 200f0193
> >  sp : dc631ed0  ip : e3e21c24  fp : dc631f04
> >  r10: 00000000  r9 : 600f0113  r8 : 0000003f
> >  r7 : e3e21b14  r6 : 00000067  r5 : e2e49c1c  r4 : e3e21a80
> >  r3 : 00000001  r2 : 00000001  r1 : 00000001  r0 : 600f0113
> >  Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
> >  Control: 10c5387d  Table: 9c50004a  DAC: 00000015
> > 
> > Signed-off-by: Gustavo Padovan <gustavo.padovan@...labora.co.uk>
> > ---
> >  drivers/misc/ti-st/st_core.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/misc/ti-st/st_core.c b/drivers/misc/ti-st/st_core.c
> > index 0a14280..8e64eb1 100644
> > --- a/drivers/misc/ti-st/st_core.c
> > +++ b/drivers/misc/ti-st/st_core.c
> > @@ -343,7 +343,7 @@ void st_int_recv(void *disc_data,
> >  			/* Unknow packet? */
> >  		default:
> >  			type = *ptr;
> > -			if (st_gdata->list[type] == NULL) {
> > +			if (type >= ST_MAX_CHANNELS || st_gdata->list[type] == NULL) {
> >  				pr_err("chip/interface misbehavior dropping"
> >  					" frame starting with 0x%02x", type);
> >  				goto done;
> 
> This would be a bug in the calling code, would it not?

It is possible and it seems 39f610e40 could be a fix for this. I would need to
test. I was testing it on old kernel without this patch. In any case my patch
is still needed.

	Gustavo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ