lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 02 Dec 2011 17:26:20 +0200
From:	Stratos Psomadakis <psomas@...too.org>
To:	linux-kernel@...r.kernel.org
CC:	stable@...r.kernel.org, gregkh@...e.de, linux-scsi@...r.kernel.org,
	JBottomley@...allels.com, matthew@....cx, Martin.vGagern@....net,
	kernel@...too.org
Subject: [SCSI] NULL pointer dereference in sym53c8xx (bisected)

Hi,

After upstream commit 4e6c82b3614a18740ef63109d58743a359266daf ([SCSI]
fix WARNING: at drivers/scsi/scsi_lib.c:1704), which is also included in
3.0-stable and 3.1-stable kernels, the kernel fails to boot (NULL
pointer dereference in sym53c8xx_slave_destroy).

Bug report at the Gentoo Bugzilla (reported and bisected by Martin von
Gagern). [1]  (stack trace [2])

I think that the problem is that (after commit 4e6c82b)
__scsi_remove_device() is called if slave_alloc() in scsi_alloc_sdev()
fails. But __scsi_remove_device() calls slave_destroy(), which (I think)
doesn't make much sense (ie to call slave_destroy() when slave_alloc()
fails).

For sym53c8xx, this results in a NULL pointer dereference (struct
sym_lcb pointer) in slave_destroy().

[1] https://bugs.gentoo.org/show_bug.cgi?id=392567
[2] https://392567.bugs.gentoo.org/attachment.cgi?id=294381

-- 
Stratos Psomadakis
<psomas@...too.org>



Download attachment "signature.asc" of type "application/pgp-signature" (263 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ