lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1400819147-14236-6-git-send-email-matlackdavid@gmail.com>
Date:	Thu, 22 May 2014 21:25:45 -0700
From:	David Matlack <matlackdavid@...il.com>
To:	gregkh@...uxfoundation.org
Cc:	linux-kernel@...r.kernel.org, devel@...verdev.osuosl.org,
	liodot@...il.com, charrer@...critech.com,
	David Matlack <matlackdavid@...il.com>
Subject: [PATCH] staging: slicoss: fix use-after-free bug in slic_entry_remove

Fix a use-after-free bug that causes a null pointer dereference in
slic_entry_halt().

Since unregister_netdev() will ultimately call slic_entry_halt() (the
net_device ndo_stop() virtual function for this device), we should
call it before freeing the memory that is used by slic_entry_halt().
Specifically, slic_unmap_mmio_space() frees adapter->slic_regs, but
those registers are used in slic_entry_halt().

Signed-off-by: David Matlack <matlackdavid@...il.com>
---
This patch was originally sent here https://lkml.org/lkml/2014/5/6/5 with
my google.com email address. But due to Google's recent change in DMARC
policies, that patchset was silently dropped for at least some users
(including my personal gmail account). So I'm sending it out now with
my gmail.com account. Let me know if this is an issue. Thanks.

 drivers/staging/slicoss/slicoss.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/slicoss/slicoss.c b/drivers/staging/slicoss/slicoss.c
index d670490..b8eeb3b 100644
--- a/drivers/staging/slicoss/slicoss.c
+++ b/drivers/staging/slicoss/slicoss.c
@@ -2526,9 +2526,10 @@ static void slic_entry_remove(struct pci_dev *pcidev)
 	struct sliccard *card;
 	struct mcast_address *mcaddr, *mlist;
 
+	unregister_netdev(dev);
+
 	slic_adapter_freeresources(adapter);
 	slic_unmap_mmio_space(adapter);
-	unregister_netdev(dev);
 
 	/* free multicast addresses */
 	mlist = adapter->mcastaddrs;
-- 
1.9.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ