lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 09 Jul 2008 12:53:26 -0700
From:	Roland Dreier <roland@...italvampire.org>
To:	Laurent Pinchart <laurent.pinchart@...net.be>
Cc:	Romano Giannetti <romano@....icai.upcomillas.es>,
	linux-kernel@...r.kernel.org, linux-uvc-devel@...lios.de
Subject: Re: Linux 2.6.26-rc9 circular lock with uvcvideo on resume from hibernation

 > uvc_disconnect()                      | uvc_v4l2_open()
 > ...                                   |
 > mutex_lock(&uvc_driver.open_mutex);   |
 > dev->state |= UVC_DEV_DISCONNECTED;   |
 > mutex_unlock(&uvc_driver.open_mutex); |
 >                                       |
 >                                       | mutex_lock(&uvc_driver.open_mutex);
 >                                       | vdev = video_devdata(file);
 >                                       | video = video_get_drvdata(vdev);
 >                                       |
 > kref_put(&dev->kref, uvc_delete);     |
 >                                       |
 >                                       | if (video->dev->state...) 
 > 
 > kref_put() in uvc_disconnect() will call uvc_delete(), which will in turn free 
 > the video structure. uvc_v4l2_open() will then dereference freed memory when 
 > testing the device state.

I don't believe this is correct.  I tried to explain it in my
changelog by saying "uvc_delete() does uvc_unregister_video() (and
hence video_unregister_device(), which is synchronized with
videodev_lock) as its first thing, so there is no risk of
use-after-free in uvc_v4l2_open()."

In other words, the first thing uvc_delete() does is call
uvc_unregister_video(), which will video_unregister_device().  Since
this needs to take videodev_lock, it will wait until uvc_v4l2_open()
returns (which it will do, since state is now UVC_DEV_DISCONNECTED).
So the video struct will not be freed until after uvc_v4l2_open()
returns.

As far as I can see there is no use-after-free.

 - R.
-- 
Roland Dreier  <roland@...italvampire.org>  GPG Key: 1024D/E0EEFAC0
Fingerprint:     A89F B5E9 C185 F34D BD50  4009 37E2 25CC E0EE FAC0

 Sending >500KB attachments is forbidden by the Geneva Convention.
        Your country may be at risk if you fail to comply.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ