lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110802115145.25b6a445@schatten.dmk.lab>
Date:	Tue, 2 Aug 2011 11:51:45 +0200
From:	Florian Mickler <florian@...kler.org>
To:	Dan Carpenter <error27@...il.com>
Cc:	linux-kernel@...r.kernel.org, Tino Keitel <tino.keitel@...ei.de>,
	mchehab@...radead.org
Subject: Re: USB related "unable to handle kernel paging request" in
 3.0.0-rc7

On Tue, 2 Aug 2011 11:54:47 +0300
Dan Carpenter <error27@...il.com> wrote:

> Looking at this, I noticed a memory corruption bug introduce in:
> ab22cbda6651d "[media] vp7045: get rid of on-stack dma buffers"
> 
> vp7045_properties.size_of_priv is sizeof(u8 *) so in vp7045_usb_probe()
> the d->priv buffer gets allocated twice.  Once in:
> 	dvb_usb_device_init()
> 	-> dvb_usb_init()
> 
> And once explicitly to a larger buffer later on in the function with
> a kmalloc().
> 
> So the two places that use the buffer will probably race and cause
> memory corruption.
> 
> regards,
> dan carpenter

Damn. That (u8*)sized priv buffer should only hold a pointer to the
transfer buffer allocated in the prope routine. But I botched that. 
I will send a fixup in a minute.  

Regards,
Flo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ