lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <555C9EC9.40303@rosalab.ru>
Date:	Wed, 20 May 2015 17:48:41 +0300
From:	Eugene Shatokhin <eugene.shatokhin@...alab.ru>
To:	Laurent Pinchart <laurent.pinchart@...asonboard.com>
CC:	Mauro Carvalho Chehab <mchehab@....samsung.com>,
	LKML <linux-kernel@...r.kernel.org>
Subject: uvcvideo: Race on dev->state between uvc_disconnect() and uvc_v4l2_open()

Hi,

There is a race in uvcvideo module between uvc_disconnect() and 
uvc_v4l2_open() on dev->state. Checked and reproduced that with kernel 
4.1-rc1.

drivers/media/usb/uvc/uvc_driver.c, uvc_disconnect():

	dev->state |= UVC_DEV_DISCONNECTED;

drivers/media/usb/uvc/uvc_v4l2.c, uvc_v4l2_open():

	if (stream->dev->state & UVC_DEV_DISCONNECTED)
		return -ENODEV;

I checked that the race does happen by introducing a delay in 
uvc_disconnect() right before that assignment and armed a hardware 
breakpoint to detect the access to stream->dev->state from 
uvc_v4l2_open(). When I disconnected the webcam while Google Hangout was 
running, the hardware breakpoint triggered several times for that read 
in uvc_v4l2_open (uvc_v4l2.c:484). uvc_v4l2_open() was called in the 
context of GoogleTalkPlugin processes.

Not sure if the race is intentional but I guess, better to report it 
anyway. Nothing has crashed during my (brief) testing yet, but still.

Regards,

Eugene

-- 
Eugene Shatokhin, ROSA
www.rosalab.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ