lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 14 Mar 2007 17:26:07 +0100
From:	"Dmitry Adamushko" <dmitry.adamushko@...il.com>
To:	"Linux Kernel" <linux-kernel@...r.kernel.org>
Cc:	mingo@...e.hu
Subject: [BUG: kernel/irq/proc.c] unprotected iteration over the IRQ action list in name_unique()

Hi,

1-st issue:  unprotected iteration over the IRQ action list in name_unique()


the racing sequences:

[ 1 ]  request_irq() -> setup_irq() -> register_handler_proc() ->
name_unique() -> iterate over the action list (*)

setup_irq() releases a desc->lock before calling register_handler_proc().

[ 2 ]  free_irq() -> delete some element while (*) is still in progress -> bum!

something like this should make it safe :

--- kernel/irq/proc-old.c       2007-03-14 16:34:52.828981000 +0100
+++ kernel/irq/proc.c   2007-03-14 16:59:47.236950000 +0100
@@ -66,11 +66,18 @@ static int name_unique(unsigned int irq,
 {
        struct irq_desc *desc = irq_desc + irq;
        struct irqaction *action;
+       unsigned long flags;
+
+       spin_lock_irqsave(&desc->lock, flags);

        for (action = desc->action ; action; action = action->next)
                if ((action != new_action) && action->name &&
-                               !strcmp(new_action->name, action->name))
+                               !strcmp(new_action->name, action->name)) {
+                       spin_unlock_irqrestore(&desc->lock, flags);
                        return 0;
+               }
+
+       spin_unlock_irqrestore(&desc->lock, flags);
        return 1;
 }


2-nd issue:  now it's about register_irq_proc() which is also called
by setup_irq().

register_irq_proc() is called for all descriptors for which

(irq_desc[irq].chip == &no_irq_chip) != 0           (*)

at startup time from init_irq_proc().

Let's suppose (*) is not true for some desc at startup and changes at
some point later.

If so, register_irq_proc() takes effect being called from setup_irq().

Now let's suppose request_irq() is called on 2 cpus for the same
interrupt line and both end up in (%) below

[ request_irq() -> setup_irq() -> register_irq_proc() ]

void register_irq_proc(unsigned int irq)
{
        char name [MAX_NAMELEN];

        if (!root_irq_dir ||
                (irq_desc[irq].chip == &no_irq_chip) ||
                        irq_desc[irq].dir)
                return;

            (%)  <=== both are here

        memset(name, 0, MAX_NAMELEN);
        sprintf(name, "%d", irq);

        /* create /proc/irq/1234 */
        irq_desc[irq].dir = proc_mkdir(name, root_irq_dir);
...

Both will try to initialize "irq_desc[irq].dir" and "smp_affinity"
entry... Not bum, but a possible leak indeed.


TIA,

-- 
Best regards,
Dmitry Adamushko
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ