lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 16 Oct 2007 16:48:54 +0300
From:	Vitaliy Ivanov <vitalivanov@...il.com>
To:	Pete Zaitcev <zaitcev@...hat.com>
Cc:	Willy Tarreau <w@....eu>, gregkh@...e.de,
	linux-usb-devel@...ts.sourceforge.net, linux-kernel@...r.kernel.org
Subject: Re: [2.4 patch] Port of adutux driver from 2.6 kernel to 2.4.

Pete,

On Mon, 2007-10-15 at 20:30, Pete Zaitcev wrote:

> > +	in_end_size = le16_to_cpu(dev->interrupt_in_endpoint->wMaxPacketSize);
> > +	out_end_size = le16_to_cpu(dev->interrupt_out_endpoint->wMaxPacketSize);
> 
> Did you verify if this works? We use pre-swapped descriptors in 2.4.
> I suspect you allocate 256 times more memory than necessary.

Just checked. Seems to be OK. At least printk shows shows it.

> 
> > +static void adu_delete(struct adu_device *dev)
> > +	kfree(dev);
> 
> > +static int adu_release_internal(struct adu_device *dev)
> > +	if (dev->udev == NULL) {
> > +		adu_delete(dev);
> 
> > +static int adu_open(struct inode *inode, struct file *file)
> > +	retval = adu_release_internal(dev);
> > +	up(&dev->sem);
> 
> The above very clearly is a use-after-free, in case the device was
> open across a disconnect. Solution: Use minor_table_mutex to lock
> dev->open_count instead of dev->sem. There's no rule that the lock
> has to live inside the same structure with members it locks.

Yeah. You are right. Found similar issue in adu_release also. 
It's a problem with 2.6 kernel driver.
So, I've got a material to create some fixes in 2.6 driver too.
I've reworked the code to avoid this issue.

Sending final patch as a reply to Willy's mail. Please check it.


Vitaliy

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ