lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0C18FE92A7765D4EB9EE5D38D86A563A01A2FCD9@SHSMSX103.ccr.corp.intel.com>
Date:	Tue, 24 Dec 2013 12:28:05 +0000
From:	"Du, ChangbinX" <changbinx.du@...el.com>
To:	Alan Stern <stern@...land.harvard.edu>
CC:	"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
	"sarah.a.sharp@...ux.intel.com" <sarah.a.sharp@...ux.intel.com>,
	"Lan, Tianyu" <tianyu.lan@...el.com>,
	"burzalodowa@...il.com" <burzalodowa@...il.com>,
	"linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] usb/core: fix NULL pointer dereference in
 recursively_mark_NOTATTACHED

> From: Alan Stern [mailto:stern@...land.harvard.edu]
> Sent: Monday, December 23, 2013 11:13 PM
> To: Du, ChangbinX
> Cc: gregkh@...uxfoundation.org; sarah.a.sharp@...ux.intel.com; Lan, Tianyu;
> burzalodowa@...il.com; linux-usb@...r.kernel.org;
> linux-kernel@...r.kernel.org
> Subject: Re: [PATCH] usb/core: fix NULL pointer dereference in
> recursively_mark_NOTATTACHED
> 
> On Mon, 23 Dec 2013, Du, ChangbinX wrote:
> 
> > usb_hub_to_struct_hub() can return NULL if the hub without active
> > configuration. So the result must be checked.
> >
> > BUG: unable to handle kernel NULL pointer dereference at 0000015c

> How did you manage to trigger this BUG?  If hub is NULL then
> udev->maxchild should be 0.  See the code in hub_disconnect().
>
> Alan Stern

Hello, Alan. The hub also should be null if actconfig is null. You can see it in function
usb_hub_to_struct_hub().
udev->maxchild will be set to 0 in hub_disconnect(). But before that,
recursively_mark_NOTATTACHED may be called when calling usb_disconnect(). So this issue
will happen when usb_disconnect a hub that not have a configuration yet.
It happened once here when unplugging otg cable from DUT(will cause hcd removed) with
tiers of hub and devices. But it's not easy to reproduce it.
This is my analysis, how do you think?

Du, Changbin
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ