lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 21 Dec 2014 11:25:16 -0600 From: Eric Biggers <ebiggers3@...il.com> To: linux-wireless@...r.kernel.org Cc: netdev@...r.kernel.org, Larry.Finger@...inger.net, linux-kernel@...r.kernel.org Subject: [BUG] rtl8192se: panic accessing unmapped memory in skb Hi, I have a RTL8192SE wireless card, attached via PCI. Usually it works with no issues, but I recently had a kernel panic occur in the rtl8192se driver. The kernel version is 3.18. Based on my analysis of the panic dump, the panic was caused by a memory access violation in this block of code in rtl92se_rx_query_desc(): if (stats->decrypted) { hdr = (struct ieee80211_hdr *)(skb->data + stats->rx_drvinfo_size + stats->rx_bufshift); if ((_ieee80211_is_robust_mgmt_frame(hdr)) && (ieee80211_has_protected(hdr->frame_control))) rx_status->flag &= ~RX_FLAG_DECRYPTED; else rx_status->flag |= RX_FLAG_DECRYPTED; } Specifically, the violation occurred the first time hdr->frame_control was accessed, as part of _ieee80211_is_robust_mgmt_frame(). The panic occurred when the system was under heavy filesystem load but seemingly is not easily reproducible. There was recently a NULL check that was removed from this exact place in the code, but it was certainly useless. Instead, what's much more suspect to me is that inside _rtl_pci_rx_interrupt(), there is no error checking of the return value of _rtl_pci_init_one_rxdesc(), which might fail if the skb couldn't be allocated. I am wondering if this could be causing the problem. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists