| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <200810251319.07232.laurent.pinchart@skynet.be> Date: Sat, 25 Oct 2008 13:19:07 +0200 From: Laurent Pinchart <laurent.pinchart@...net.be> To: linux-uvc-devel@...ts.berlios.de Cc: Mauro Carvalho Chehab <mchehab@...radead.org>, Alan Jenkins <alan-jenkins@...fmail.co.uk>, linux-kernel <linux-kernel@...r.kernel.org> Subject: Re: [Linux-uvc-devel] [BUG] NULL pointer dereference caused by uvcvideo stress test Hi Mauro, On Friday 24 October 2008, Mauro Carvalho Chehab wrote: > On Thu, 16 Oct 2008 11:01:27 +0100 > > Alan Jenkins <alan-jenkins@...fmail.co.uk> wrote: > > Laurent Pinchart wrote: > > > Hi Alan, > > > > > > On Wednesday 15 October 2008, Alan Jenkins wrote: > > >> Laurent Pinchart wrote: > > >>> On Wednesday 15 October 2008, Alan Jenkins wrote: > > >>>> If you look at the trace, it happens as "hald-probe-video" opens the > > >>>> video device. This is from Ubuntu 8.04. Possibly it's significant > > >>>> that I use the camera first, to make sure it works (I use Kopete, > > >>>> the settings dialogue includes a video test). > > >>> > > >>> The NULL pointer (or rather 0x00000030 pointer) dereference happens > > >>> in video_open: > > >>> > > >>> file->f_op = fops_get(vfl->fops); > > >>> if (file->f_op->open) > > >>> err = file->f_op->open(inode, file); > > >>> > > >>> file->f_op ends up being NULL. Either vfl->fops is NULL to begin > > >>> with, or fops_get failed to get a reference to the file_operations > > >>> structure. > > >>> > > >>> I'd be surprised if vfl->fops was NULL. To rule out that case, can > > >>> you add a BUG_ON(vfl->fops == NULL) before the call to fops_get ? > > >>> > > >>> I'm not too familiar with the module loader, but a quick look at the > > >>> code shows that the module could be marked as being unloaded > > >>> (MODULE_STATE_GOING) before its exit function is called. If this is > > >>> the case video_open would still be called, as the video device would > > >>> still be registered, but fops_get would fail in try_module_get and > > >>> return a NULL pointer. It seems the pointer returned by fops_get > > >>> should be tested in video_open. > > >>> > > >>> I've CC'ed the v4l maintainer to get his opinion on this. > > Sorry for being late with this. Too much work here... > > I suspect that you only hit this bug due to BKL removal from open/close > fops. maybe you're calling open() before having the device fully > initialized? It's actually the other way around. open() is closed while unloading the module. As v4l is being moved to cdev the bug will go away. > Anyway, I think that the proposed check is interesting on other places > where there are similar code. Best regards, Laurent Pinchart -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists