lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 17 Jan 2013 09:52:08 -0500
From:	Dave Jones <davej@...hat.com>
To:	Shankar Brahadeeswaran <shankoo77@...il.com>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: PROBLEM: __list_del_entry in lib/list_debug.c does not delete
 the node if the list is corrupted

On Thu, Jan 17, 2013 at 03:53:11PM +0530, Shankar Brahadeeswaran wrote:
 > Hi,
 > The following is the Bug Report on list_debug.c implementation.
 > 
 > [1.] The __list_del_entry implemented in lib/list_debug.c does not
 > delete the node if the list is corrupted
 > 
 > [2.] Full description of the problem/report:
 > The function __list_del_entry implemented in include/linux/list.h
 > always removes the node from the list it belongs to.
 > But the same function implemented in lib/list_debug.c does not remove
 > the node if the list it belongs to is corrupted.
 > So based on whether CONFIG_DEBUG_LIST  is defined or not the behavior
 > of the function __list_del_entry changes
 
If the list is corrupt, we don't know if it's safe to do further
manipulation. Those nodes could be pointing anywhere, and dereferencing them
could lead to oopses, GPFs or even lockups depending on config options,
and what the corrupt pointers are.

 > [2.1] Use Case in which the problem is seen (Assume that
 > CONFIG_DEBUG_LIST is defined so implementation used is from
 > list_debug.c)
 > In the AOSP kernel version the file dpm_prepare in file
 > drivers/base/power/main.c moves the "device" from dpm_list to
 > dpm_prepare list.
 > The following line of code does it.
 > 
 > list_move_tail(&dev->power.entry, &dpm_prepared_list);
 > 
 > Now the implementation of list_move_tail (include/linux/list.h) is as follows
 >         __list_del_entry(list);
 >         list_add_tail(list, head);
 > 
 > If the list in which &dev->power.entry lives (dpm_list) is corrupted
 > then the first call will not delete the node (Warning is thrown and
 > returns)

Find out why that list is corrupt, and fix that.

	Dave

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ