lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 4 Oct 2010 15:50:31 +0200 (CEST)
From:	Jiri Kosina <jkosina@...e.cz>
To:	Antonio Ospite <ospite@...denti.unina.it>
Cc:	linux-input@...r.kernel.org, Alan Ott <alan@...nal11.us>,
	Oliver Neukum <oliver@...kum.name>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] HID: hidraw, fix a NULL pointer dereference in
 hidraw_ioctl

On Sat, 2 Oct 2010, Antonio Ospite wrote:

> BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
> IP: [<ffffffffa02c66b4>] hidraw_ioctl+0xfc/0x32c [hid]
> [...]
> 
> This is reproducible by disconnecting the device while userspace does ioctl in
> a loop and doesn't check return values in order to exit the loop, like in the
> following test program:
> 
> int main(int argc, char *argv[])
> {
> 	int fd = -1;
> 	unsigned char name[256];
> 	int ret;
> 
> 	if (argc != 2) {
> 		fprintf(stderr, "usage: %s </dev/hidrawX>\n",
> 				argv[0]);
> 		exit(1);
> 	}
> 
> 	fd = open(argv[1], O_RDWR);
> 	if (fd < 0) {
> 		perror("hidraw open");
> 		exit(1);
> 	}
> 
> 	while (1) {
> 		ret = ioctl(fd, HIDIOCGRAWNAME(256), name);
> 		printf("ret: %d name: %s\n", ret, name);
> 	}
> 
> 	close(fd);
> 	exit(0);
> }

Thanks for cathing this.

> 
> Signed-off-by: Antonio Ospite <ospite@...denti.unina.it>
> ---
> Should this be applied to older stable kernels too?

Yes, I will be adding (or feel free to do so yourself with another respin) 
"Cc: stable@...nel.org" line.

> there is a similar problem when _writing_ to the device, but Alan's
> changes in that area are shuffling the code a bit, should I send a patch
> [to hidraw_send_report()] on top of Alan's work for that, or a fix for
> current mainline [in hidraw_write()] on which Alan should rebase his
> work would be better?

Please send me the fix for current mainline for now, i.e. respin with the 
write path covered as well. We are struggling to get feedback on Alan's 
patches from Bluetooth maintainer, so we'd rather have this race fixed in 
any case.

Thanks,

-- 
Jiri Kosina
SUSE Labs, Novell Inc.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ