lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20080531203940.40536c9a@infradead.org>
Date:	Sat, 31 May 2008 20:39:40 -0700
From:	Arjan van de Ven <arjan@...radead.org>
To:	airlied@...ux.ie
Cc:	linux-kernel@...r.kernel.org
Subject: [PATCH] drm: fix crash due to /proc registration race



From: Arjan van de Ven <arjan@...ux.intel.com>
Subject: [PATCH] drm: fix crash due to /proc registration race

The DRM layer creates proc entries like this:

                ent = create_proc_entry(drm_proc_list[i].name,
                                        S_IFREG | S_IRUGO, minor->dev_root);
                if (!ent) {
			... stuff ...
                }
                ent->read_proc = drm_proc_list[i].f;
                ent->data = minor;

however that leaves a short window where the /proc file is visible,
but where ->data is not initialized yet.
It appears that this race is actually hit in practice:
http://www.kerneloops.org/search.php?search=drm_name_info

(of course it could be some other race.. but this race appears
to be there at least)

Reported-by: www.kerneloops.org
Signed-off-by: Arjan van de Ven <arjan@...ux.intel.com>
---
 drivers/char/drm/drm_proc.c |   13 ++++++++++++-
 1 files changed, 12 insertions(+), 1 deletions(-)

diff --git a/drivers/char/drm/drm_proc.c b/drivers/char/drm/drm_proc.c
index 93b1e04..19e61ad 100644
--- a/drivers/char/drm/drm_proc.c
+++ b/drivers/char/drm/drm_proc.c
@@ -164,9 +164,20 @@ static int drm_name_info(char *buf, char **start, off_t offset, int request,
 			 int *eof, void *data)
 {
 	struct drm_minor *minor = (struct drm_minor *) data;
-	struct drm_device *dev = minor->dev;
+	struct drm_device *dev;
 	int len = 0;
 
+	/*
+	 * When creating the /proc files, there is a tiny race window
+	 * where "data" isn't assigned yet... error out rather than dereference
+	 */
+	if (!data) {
+		*eof = 1;
+		return 0;
+	}
+
+	dev = minor->dev;
+
 	if (offset > DRM_PROC_LIMIT) {
 		*eof = 1;
 		return 0;
-- 
1.5.5.1


-- 
If you want to reach me at my work email, use arjan@...ux.intel.com
For development, discussion and tips for power savings, 
visit http://www.lesswatts.org
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ