| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Mar 2016 20:10:16 -0800 From: "Nicholas A. Bellinger" <nab@...ux-iscsi.org> To: Andrzej Pietrasiewicz <andrzej.p@...sung.com> Cc: Felipe Balbi <balbi@...nel.org>, Dan Carpenter <dan.carpenter@...cle.com>, Christoph Hellwig <hch@....de>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Sebastian Andrzej Siewior <bigeasy@...utronix.de>, Bart Van Assche <bart.vanassche@...disk.com>, linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org, target-devel@...r.kernel.org Subject: Re: [patch -target tree] usb: gadget: f_tcm: use after free On Thu, 2016-03-10 at 09:34 +0100, Andrzej Pietrasiewicz wrote: > Hi Nicholas, > > W dniu 10.03.2016 o 06:19, Nicholas A. Bellinger pisze: > > Hi Andrzej, > > > > On Wed, 2016-03-09 at 13:53 +0100, Andrzej Pietrasiewicz wrote: > >> Hi Nicholas, > >> <SNIP> > > > > Mmmm, usbg_get_cmd() was missing an explicit memset() after tag lookup. > > > > How about the following..? > > > > diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c > > index e352a31..d4e8a91 100644 > > --- a/drivers/usb/gadget/function/f_tcm.c > > +++ b/drivers/usb/gadget/function/f_tcm.c > > @@ -1078,6 +1078,7 @@ static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu, > > return ERR_PTR(-ENOMEM); > > > > cmd = &((struct usbg_cmd *)se_sess->sess_cmd_map)[tag]; > > + memset(cmd, 0, sizeof(*cmd)); > > cmd->se_cmd.map_tag = tag; > > cmd->se_cmd.tag = cmd->tag = scsi_tag; > > cmd->fu = fu; > > > > > > > > I tested it. Works for me. Folding this missing memset() into usb-gadget's percpu_ida conversion for -v4. Thanks Andrzej!
Powered by blists - more mailing lists