lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <DM2PR0301MB1232C919B7845FAEC0B36BF3ABBA0@DM2PR0301MB1232.namprd03.prod.outlook.com>
Date:	Mon, 29 Feb 2016 17:21:18 +0000
From:	Jake Oshins <jakeo@...rosoft.com>
To:	Dan Carpenter <dan.carpenter@...cle.com>,
	KY Srinivasan <kys@...rosoft.com>
CC:	Haiyang Zhang <haiyangz@...rosoft.com>,
	Bjorn Helgaas <bhelgaas@...gle.com>,
	"devel@...uxdriverproject.org" <devel@...uxdriverproject.org>,
	"linux-pci@...r.kernel.org" <linux-pci@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>
Subject: RE: [patch] PCI: hv: potential use after free

> -----Original Message-----
> From: Dan Carpenter [mailto:dan.carpenter@...cle.com]
> Sent: Saturday, February 27, 2016 2:44 AM
> To: KY Srinivasan <kys@...rosoft.com>; Jake Oshins
> <jakeo@...rosoft.com>
> Cc: Haiyang Zhang <haiyangz@...rosoft.com>; Bjorn Helgaas
> <bhelgaas@...gle.com>; devel@...uxdriverproject.org; linux-
> pci@...r.kernel.org; linux-kernel@...r.kernel.org; kernel-
> janitors@...r.kernel.org
> Subject: [patch] PCI: hv: potential use after free
> 
> If we throw away the very last item on the list, then we could end up
> with a use after free of "dr".
> 
> Fixes: 15ca17645f19 ('PCI: hv: Add paravirtual PCI front-end for Microsoft
> Hyper-V VMs')
> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> 
> diff --git a/drivers/pci/host/pci-hyperv.c b/drivers/pci/host/pci-hyperv.c
> index 9391dee..9b66ffe 100644
> --- a/drivers/pci/host/pci-hyperv.c
> +++ b/drivers/pci/host/pci-hyperv.c
> @@ -1397,6 +1397,7 @@ static void pci_devices_present_work(struct
> work_struct *work)
>  		/* Throw this away if the list still has stuff in it. */
>  		if (!list_empty(&hbus->dr_list)) {
>  			kfree(dr);
> +			dr = NULL;
>  			continue;
>  		}
>  	}

Thanks for looking at this.  I do truly appreciate it.  But the code here removes dr from the list and then, before freeing it, checks to see that it was not the last entry in the list.   The list lock is still held and the list is not empty even after removing dr from it.

(I suspect that you're going to tell me that I'm missing something here.  Please do.  I'll appreciate it even more.)

Thanks,
Jake

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ