lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 24 Jul 2013 16:12:22 -0700
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Gustavo Padovan <gustavo@...ovan.org>
Cc:	linux-kernel@...r.kernel.org,
	Gustavo Padovan <gustavo.padovan@...labora.co.uk>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	channing <chao.bi@...el.com>, Pavan Savoy <pavan_savoy@...com>
Subject: Re: [PATCH] ti-st: fix NULL dereference on protocol type check

On Tue, 23 Jul 2013 15:29:31 +0100 Gustavo Padovan <gustavo@...ovan.org> wrote:

> From: Gustavo Padovan <gustavo.padovan@...labora.co.uk>
> 
> If the type we receive is greater than ST_MAX_CHANNELS we can't rely on
> type as vector index since we would be accessing unknown memory when we use the type
> as index.
> 
>  Unable to handle kernel NULL pointer dereference at virtual address 0000001b
>  pgd = c0004000
>  [0000001b] *pgd=00000000
>  Internal error: Oops: 17 [#1] PREEMPT SMP ARM
>  Modules linked in: btwilink wl12xx wlcore mac80211 cfg80211 rfcomm bnep bluo
>  CPU: 0    Tainted: G        W     (3.4.0+ #15)
>  PC is at st_int_recv+0x278/0x344
>  LR is at get_parent_ip+0x14/0x30
>  pc : [<c03b01a8>]    lr : [<c007273c>]    psr: 200f0193
>  sp : dc631ed0  ip : e3e21c24  fp : dc631f04
>  r10: 00000000  r9 : 600f0113  r8 : 0000003f
>  r7 : e3e21b14  r6 : 00000067  r5 : e2e49c1c  r4 : e3e21a80
>  r3 : 00000001  r2 : 00000001  r1 : 00000001  r0 : 600f0113
>  Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
>  Control: 10c5387d  Table: 9c50004a  DAC: 00000015
> 
> Signed-off-by: Gustavo Padovan <gustavo.padovan@...labora.co.uk>
> ---
>  drivers/misc/ti-st/st_core.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/misc/ti-st/st_core.c b/drivers/misc/ti-st/st_core.c
> index 0a14280..8e64eb1 100644
> --- a/drivers/misc/ti-st/st_core.c
> +++ b/drivers/misc/ti-st/st_core.c
> @@ -343,7 +343,7 @@ void st_int_recv(void *disc_data,
>  			/* Unknow packet? */
>  		default:
>  			type = *ptr;
> -			if (st_gdata->list[type] == NULL) {
> +			if (type >= ST_MAX_CHANNELS || st_gdata->list[type] == NULL) {
>  				pr_err("chip/interface misbehavior dropping"
>  					" frame starting with 0x%02x", type);
>  				goto done;

This would be a bug in the calling code, would it not?

How did this come about?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ