| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 15 Mar 2007 10:53:13 +0100 From: "Dmitry Adamushko" <dmitry.adamushko@...il.com> To: "Linux Kernel" <linux-kernel@...r.kernel.org> Subject: Re: [BUG: kernel/irq/proc.c] unprotected iteration over the IRQ action list in name_unique() On 14/03/07, Dmitry Adamushko <dmitry.adamushko@...il.com> wrote: > 1-st issue: unprotected iteration over the IRQ action list in name_unique() > > > the racing sequences: > > [ 1 ] request_irq() -> setup_irq() -> register_handler_proc() -> > name_unique() -> iterate over the action list (*) > > setup_irq() releases a desc->lock before calling register_handler_proc(). > > [ 2 ] free_irq() -> delete some element while (*) is still in progress -> bum! "delete" == remove from the list + kfree() as synchronize_irq() is not going to prevent it for obvious reasons. Of course, request_irq() and free_irq() are called for the same /shared/ irq line but for /different/ handlers. Looks too obvious to be true. I already expected someone prooving me wrong, at the very least by pointing out a special option of vim to activate some hidden synchronization code :o) -- Best regards, Dmitry Adamushko - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists