| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Feb 2016 17:21:18 +0000
From: Jake Oshins <jakeo@...rosoft.com>
To: Dan Carpenter <dan.carpenter@...cle.com>,
KY Srinivasan <kys@...rosoft.com>
CC: Haiyang Zhang <haiyangz@...rosoft.com>,
Bjorn Helgaas <bhelgaas@...gle.com>,
"devel@...uxdriverproject.org" <devel@...uxdriverproject.org>,
"linux-pci@...r.kernel.org" <linux-pci@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>
Subject: RE: [patch] PCI: hv: potential use after free
> -----Original Message-----
> From: Dan Carpenter [mailto:dan.carpenter@...cle.com]
> Sent: Saturday, February 27, 2016 2:44 AM
> To: KY Srinivasan <kys@...rosoft.com>; Jake Oshins
> <jakeo@...rosoft.com>
> Cc: Haiyang Zhang <haiyangz@...rosoft.com>; Bjorn Helgaas
> <bhelgaas@...gle.com>; devel@...uxdriverproject.org; linux-
> pci@...r.kernel.org; linux-kernel@...r.kernel.org; kernel-
> janitors@...r.kernel.org
> Subject: [patch] PCI: hv: potential use after free
>
> If we throw away the very last item on the list, then we could end up
> with a use after free of "dr".
>
> Fixes: 15ca17645f19 ('PCI: hv: Add paravirtual PCI front-end for Microsoft
> Hyper-V VMs')
> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
>
> diff --git a/drivers/pci/host/pci-hyperv.c b/drivers/pci/host/pci-hyperv.c
> index 9391dee..9b66ffe 100644
> --- a/drivers/pci/host/pci-hyperv.c
> +++ b/drivers/pci/host/pci-hyperv.c
> @@ -1397,6 +1397,7 @@ static void pci_devices_present_work(struct
> work_struct *work)
> /* Throw this away if the list still has stuff in it. */
> if (!list_empty(&hbus->dr_list)) {
> kfree(dr);
> + dr = NULL;
> continue;
> }
> }
Thanks for looking at this. I do truly appreciate it. But the code here removes dr from the list and then, before freeing it, checks to see that it was not the last entry in the list. The list lock is still held and the list is not empty even after removing dr from it.
(I suspect that you're going to tell me that I'm missing something here. Please do. I'll appreciate it even more.)
Thanks,
Jake
Powered by blists - more mailing lists