| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Oct 2008 14:03:49 +0200 From: Laurent Pinchart <laurent.pinchart@...net.be> To: Alan Jenkins <alan-jenkins@...fmail.co.uk> Cc: linux-uvc-devel@...ts.berlios.de, linux-kernel <linux-kernel@...r.kernel.org>, Mauro Carvalho Chehab <mchehab@...radead.org> Subject: Re: [Linux-uvc-devel] [BUG] NULL pointer dereference caused by uvcvideo stress test Hi Alan, On Thursday 16 October 2008, Alan Jenkins wrote: > Laurent Pinchart wrote: > > On Wednesday 15 October 2008, Alan Jenkins wrote: > >> Laurent Pinchart wrote: > >>> On Wednesday 15 October 2008, Alan Jenkins wrote: > >>>> If you look at the trace, it happens as "hald-probe-video" opens the > >>>> video device. This is from Ubuntu 8.04. Possibly it's significant > >>>> that I use the camera first, to make sure it works (I use Kopete, the > >>>> settings dialogue includes a video test). > >>> > >>> The NULL pointer (or rather 0x00000030 pointer) dereference happens in > >>> video_open: > >>> > >>> file->f_op = fops_get(vfl->fops); > >>> if (file->f_op->open) > >>> err = file->f_op->open(inode, file); > >>> > >>> file->f_op ends up being NULL. Either vfl->fops is NULL to begin with, > >>> or fops_get failed to get a reference to the file_operations structure. > >>> > >>> I'd be surprised if vfl->fops was NULL. To rule out that case, can you > >>> add a BUG_ON(vfl->fops == NULL) before the call to fops_get ? > >>> > >>> I'm not too familiar with the module loader, but a quick look at the > >>> code shows that the module could be marked as being unloaded > >>> (MODULE_STATE_GOING) before its exit function is called. If this is the > >>> case video_open would still be called, as the video device would still > >>> be registered, but fops_get would fail in try_module_get and return a > >>> NULL pointer. It seems the pointer returned by fops_get should be > >>> tested in video_open. > >>> > >>> I've CC'ed the v4l maintainer to get his opinion on this. > >> > >> I put one before and one after > >> > >> 134 BUG_ON(vfl->fops == NULL); > >> 135 file->f_op = fops_get(vfl->fops); > >> 136 BUG_ON(file->f_op == NULL); > >> > >> and the second one triggered > > > > This confirms my suspicion. Could you please try the attached patch ? > > Yup, that seems to fix it. Great. > I wonder if there are more instances of this error in other subsystems. >From a quick grep it seems the following subsystems are affected: drivers/media/video drivers/media/video/dvb/dvb-core drivers/gpu/drm sound/core Unless the issue is critical and should be fixed before 2.6.28, drivers/media/video won't matter as the v4l core has already been moved to the cdev API in the kernel tree, removing the offending code. Will you submit patches for the other three subsystems or would you like me to take care of that ? Best regards, Laurent Pinchart -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists