lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d120d5000608071204r5870424dmae61033421ef74fd@mail.gmail.com>
Date:	Mon, 7 Aug 2006 15:04:36 -0400
From:	"Dmitry Torokhov" <dmitry.torokhov@...il.com>
To:	"Dmitry Torokhov" <dmitry.torokhov@...il.com>,
	linux-input@...ey.karlin.mff.cuni.cz, linux-kernel@...r.kernel.org
Subject: Re: [patch] Crash on evdev disconnect.

On 8/7/06, Zephaniah E. Hull <warp@...allh.com> wrote:
> On Mon, Aug 07, 2006 at 01:35:50PM -0400, Dmitry Torokhov wrote:
> > Hi,
> >
> > On 8/7/06, Zephaniah E. Hull <warp@...allh.com> wrote:
> > >       if (evdev->open) {
> > >               input_close_device(handle);
> > >               wake_up_interruptible(&evdev->wait);
> > >-               list_for_each_entry(list, &evdev->list, node)
> > >+               list_for_each_entry_safe(list, next, &evdev->list, node)
> > >                       kill_fasync(&list->fasync, SIGIO, POLL_HUP);
> >
> > NAK. kill_fasync does not affect the list state so using _safe does
> > not buy us anything.
>
> Sorry, but you're wrong.
>
> Immediately before the kill_fasync call list->node.next is a valid
> pointer, immediately afterwords it is 0x100100, which happens to be
> list_poison.  kill_fasync is triggering a close somehow, evdev_close
> deletes that element of the list, which poisons the next value, which
> can make us crash and burn.
>
> I have a 100% reproducible crash case, which is fixed by the change.
>
> If kill_fasync shouldn't be making it close that's another issue, but at
> the moment it is and this is a fairly non-invasive change which fixes
> it.
>

Unfortunately it does not really fix the problem, it just papers over
the issue. The crash will still happen if for some reason
evdev_release runs at a bad moment.

> > BTW, dtor_core@...ritech.net address is dead, please use
> > dmitry.torokhov@...il.com or dtor@...l.ru or dtor@...ghtbb.com.
>
> Noted, recommend updating the entry in MAINTAINERS. :)
>

Already done ;)

-- 
Dmitry
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ