| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Aug 2008 10:08:24 +0200
From: Oliver Neukum <oliver@...kum.org>
To: Greg KH <greg@...ah.com>
Cc: linux-usb@...r.kernel.org, Stefan Kopp <stefan_kopp@...lent.com>,
Marcel Janssen <korgull@...e.nl>,
Felipe Balbi <me@...ipebalbi.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] USB: add USB test and measurement class driver
Am Mittwoch 27 August 2008 02:05:01 schrieb Greg KH:
> + intf = usb_find_interface(&usbtmc_driver, iminor(inode));
> + if (!intf) {
> + printk(KERN_ERR KBUILD_MODNAME
> + ": can not find device for minor %d", iminor(inode));
> + return -ENODEV;
> + }
> +
> + data = usb_get_intfdata(intf);
> + kref_get(&data->kref);
> +
> + /* Store pointer in file structure's private data field */
> + filp->private_data = data;
> +
> + dev = &data->intf->dev;
> +static void usbtmc_delete(struct kref *kref)
> +{
> + struct usbtmc_device_data *data = to_usbtmc_data(kref);
> +
> + usb_put_dev(data->usb_dev);
> + kfree(data->buffer);
> + kfree(data);
> +}
> +
This is a race condition.
CPU A CPU B
open()
usb_find_interface()
disconnect()
kref_put()
usbtmc_delete()
kfree()
kref_get()
You can write to free memory. You must use a static mutex for
mutual exclusion between open() and disconnect()
Regards
Oliver
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists