lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <AANLkTikT3NUv5gqr2f9UXORPVbUaHCYbL5ejFCSBiz8X@mail.gmail.com>
Date:	Thu, 9 Dec 2010 21:49:00 +0800
From:	Hillf Danton <dhillf@...il.com>
To:	Matthew Wilcox <matthew@....cx>
Cc:	linux-kernel@...r.kernel.org, linux-scsi@...r.kernel.org,
	"Zou, Yi" <yi.zou@...el.com>, Joe Eykholt <jeykholt@...co.com>
Subject: Re: [PATCH] fix vulnerability of the release method of file
 operations in Block layer SCSI generic driver

On Wed, Nov 10, 2010 at 11:18 PM, Matthew Wilcox <matthew@....cx> wrote:
> On Wed, Nov 10, 2010 at 10:08:37PM +0800, Hillf Danton wrote:
>> The computation context setup by previous opening the bsg file could
>> not survive following open/release operations upon the same file
>> object.
>
> Umm .. release is called on final close of a file, not on every close
> of a file.

Thanks for sharing the knowledge about the release callback.

But I am still wondering, if the operations in the release is safe, how the
increments, pumped up by open operations on cmdline, of the ref_count
of bsg device then get decreased, which could trigger mm leakage.

And both vulnerability and leakage, if possible, could be fixed by replacing
the only line we concerned with printk, see below please.

Cheers
Hillf
---

--- a/block/bsg.c	2010-11-01 19:54:12.000000000 +0800
+++ b/block/bsg.c	2010-12-09 21:38:32.000000000 +0800
@@ -855,7 +855,10 @@ static int bsg_release(struct inode *ino
 {
 	struct bsg_device *bd = file->private_data;

-	file->private_data = NULL;
+	if (atomic_read(&bd->ref_count) != 1)
+		printk(KERN_WARNING "bsg: ref count of %s is %d\n",
+			bd->name, atomic_read(&bd->ref_count));
+
 	return bsg_put_device(bd);
 }
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ