lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 19 Jan 2018 09:03:20 +0200
From:   Mathias Nyman <mathias.nyman@...ux.intel.com>
To:     Zhengjun Xing <zhengjun.xing@...ux.intel.com>,
        gregkh@...uxfoundation.org
Cc:     linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] xhci:Fix NULL pointer in xhci debugfs

On 19.01.2018 04:13, Zhengjun Xing wrote:
> Commit dde634057da7 ("xhci: Fix use-after-free in xhci debugfs") causes a
> null pointer dereference while fixing xhci-debugfs usage of ring pointers
> that were freed during hibernate.
> 
> The fix passed addresses to ring pointers instead, but forgot to do this
> change for the xhci_ring_trb_show function.
> 
> The address of the ring pointer passed to xhci-debugfs was of a temporary
> ring pointer "new_ring" instead of the actual ring "ring" pointer. The
> temporary new_ring pointer will be set to NULL later causing the NULL
> pointer dereference.
> 
> This issue was seen when reading xhci related files in debugfs:
> 
> cat /sys/kernel/debug/usb/xhci/*/devices/*/ep*/trbs
> 
> [  184.604861] BUG: unable to handle kernel NULL pointer dereference at (null)
> [  184.613776] IP: xhci_ring_trb_show+0x3a/0x890
> [  184.618733] PGD 264193067 P4D 264193067 PUD 263238067 PMD 0
> [  184.625184] Oops: 0000 [#1] SMP
> [  184.726410] RIP: 0010:xhci_ring_trb_show+0x3a/0x890
> [  184.731944] RSP: 0018:ffffba8243c0fd90 EFLAGS: 00010246
> [  184.737880] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000000295d6
> [  184.746020] RDX: 00000000000295d5 RSI: 0000000000000001 RDI: ffff971a6418d400
> [  184.754121] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> [  184.762222] R10: ffff971a64c98a80 R11: ffff971a62a00e40 R12: ffff971a62a85500
> [  184.770325] R13: 0000000000020000 R14: ffff971a6418d400 R15: ffff971a6418d400
> [  184.778448] FS:  00007fe725a79700(0000) GS:ffff971a6ec00000(0000) knlGS:0000000000000000
> [  184.787644] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  184.794168] CR2: 0000000000000000 CR3: 000000025f365005 CR4: 00000000003606f0
> [  184.802318] Call Trace:
> [  184.805094]  ? seq_read+0x281/0x3b0
> [  184.809068]  seq_read+0xeb/0x3b0
> [  184.812735]  full_proxy_read+0x4d/0x70
> [  184.817007]  __vfs_read+0x23/0x120
> [  184.820870]  vfs_read+0x91/0x130
> [  184.824538]  SyS_read+0x42/0x90
> [  184.828106]  entry_SYSCALL_64_fastpath+0x1a/0x7d
> 
> Fixes: dde634057da7 ("xhci: Fix use-after-free in xhci debugfs")
> Signed-off-by: Zhengjun Xing <zhengjun.xing@...ux.intel.com>
> ---

Thanks, adding  to queue

-Mathias

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ