lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200810161403.49267.laurent.pinchart@skynet.be>
Date:	Thu, 16 Oct 2008 14:03:49 +0200
From:	Laurent Pinchart <laurent.pinchart@...net.be>
To:	Alan Jenkins <alan-jenkins@...fmail.co.uk>
Cc:	linux-uvc-devel@...ts.berlios.de,
	linux-kernel <linux-kernel@...r.kernel.org>,
	Mauro Carvalho Chehab <mchehab@...radead.org>
Subject: Re: [Linux-uvc-devel] [BUG] NULL pointer dereference caused by uvcvideo stress test

Hi Alan,

On Thursday 16 October 2008, Alan Jenkins wrote:
> Laurent Pinchart wrote:
> > On Wednesday 15 October 2008, Alan Jenkins wrote:
> >> Laurent Pinchart wrote:
> >>> On Wednesday 15 October 2008, Alan Jenkins wrote:
> >>>> If you look at the trace, it happens as "hald-probe-video" opens the
> >>>> video device.  This is from Ubuntu 8.04.  Possibly it's significant
> >>>> that I use the camera first, to make sure it works (I use Kopete, the
> >>>> settings dialogue includes a video test).
> >>>
> >>> The NULL pointer (or rather 0x00000030 pointer) dereference happens in
> >>> video_open:
> >>>
> >>>         file->f_op = fops_get(vfl->fops);
> >>>         if (file->f_op->open)
> >>>                 err = file->f_op->open(inode, file);
> >>>
> >>> file->f_op ends up being NULL. Either vfl->fops is NULL to begin with,
> >>> or fops_get failed to get a reference to the file_operations structure.
> >>>
> >>> I'd be surprised if vfl->fops was NULL. To rule out that case, can you
> >>> add a BUG_ON(vfl->fops == NULL) before the call to fops_get ?
> >>>
> >>> I'm not too familiar with the module loader, but a quick look at the
> >>> code shows that the module could be marked as being unloaded
> >>> (MODULE_STATE_GOING) before its exit function is called. If this is the
> >>> case video_open would still be called, as the video device would still
> >>> be registered, but fops_get would fail in try_module_get and return a
> >>> NULL pointer. It seems the pointer returned by fops_get should be
> >>> tested in video_open.
> >>>
> >>> I've CC'ed the v4l maintainer to get his opinion on this.
> >>
> >> I put one before and one after
> >>
> >> 134    BUG_ON(vfl->fops == NULL);
> >> 135    file->f_op = fops_get(vfl->fops);
> >> 136    BUG_ON(file->f_op == NULL);
> >>
> >> and the second one triggered
> >
> > This confirms my suspicion. Could you please try the attached patch ?
>
> Yup, that seems to fix it.

Great.

> I wonder if there are more instances of this error in other subsystems.

>From a quick grep it seems the following subsystems are affected:

drivers/media/video
drivers/media/video/dvb/dvb-core
drivers/gpu/drm
sound/core

Unless the issue is critical and should be fixed before 2.6.28, 
drivers/media/video won't matter as the v4l core has already been moved to 
the cdev API in the kernel tree, removing the offending code.

Will you submit patches for the other three subsystems or would you like me to 
take care of that ?

Best regards,

Laurent Pinchart
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ