lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <52A2566B.3030302@ispras.ru>
Date:	Sat, 07 Dec 2013 02:57:47 +0400
From:	Alexey Khoroshilov <khoroshilov@...ras.ru>
To:	Oliver Hartkopp <socketcan@...tkopp.net>,
	Wolfgang Grandegger <wg@...ndegger.com>
CC:	Marc Kleine-Budde <mkl@...gutronix.de>, linux-can@...r.kernel.org,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
	ldv-project@...uxtesting.org
Subject: Re: [PATCH] can: ems_usb: fix a leak in ems_usb_start_xmit()

On 07.12.2013 02:28, Oliver Hartkopp wrote:
> Alexey Khoroshilov <khoroshilov@...ras.ru> schrieb:
>> There is spare code with obvious misprint in ems_usb_start_xmit():
>> usb_free_urb() should be used to deallocate urb instead of
>> usb_unanchor_urb().
>>
>> Found by Linux Driver Verification project (linuxtesting.org).
>>
>> Signed-off-by: Alexey Khoroshilov <khoroshilov@...ras.ru>
>> ---
>> drivers/net/can/usb/ems_usb.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/can/usb/ems_usb.c
>> b/drivers/net/can/usb/ems_usb.c
>> index 5f9a7ad9b964..beae1ec255f4 100644
>> --- a/drivers/net/can/usb/ems_usb.c
>> +++ b/drivers/net/can/usb/ems_usb.c
>> @@ -798,7 +798,7 @@ static netdev_tx_t ems_usb_start_xmit(struct
>> sk_buff *skb, struct net_device *ne
>> 	 * allowed (MAX_TX_URBS).
>> 	 */
>> 	if (!context) {
>> -		usb_unanchor_urb(urb);
>> +		usb_free_urb(urb);
>> 		usb_free_coherent(dev->udev, size, buf, urb->transfer_dma);
>>
> looks like you are introducing a new use after free problem here ...
>
You are right. usb_free_urb(urb) should be one line below.

I will resend the patch with one more similar fix in the driver.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ