lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <576017D8.9080207@ispras.ru>
Date:	Tue, 14 Jun 2016 18:42:32 +0400
From:	Pavel Andrianov <andrianov@...ras.ru>
To:	Eugene Krasnikov <k.eugene.e@...il.com>
CC:	Kalle Valo <kvalo@...eaurora.org>, wcn36xx@...ts.infradead.org,
	linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org, ldv-project@...uxtesting.org,
	Vaishali Thakkar <vaishali.thakkar@...cle.com>
Subject: [ldv-project] [net] wcn36xx: potential race condition

Hi!

There is a potential race condition in 
drivers/net/wireless/ath/wcn36xx/wcn36xx.ko. In wcn36xx_tx -> 
wcn36xx_start_tx -> wcn36xx_set_tx_data 
(http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/txrx.c#L176) 
there is a read of sta_priv->bss_dpu_desc_index and 
sta_priv->bss_sta_index. In wcn36xx_bss_info_changed -> 
wcn36xx_smd_config_bss -> wcn36xx_smd_config_bss_rsp 
(http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/smd.c#L1204) 
there is a write to the same fields. It  seems that the handlers may be 
called in parallel and inconsistent data may be obtained.
The same problem is with sta_priv->sta_index and 
sta_priv->sta_dpu_desc_index:
http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/txrx.c#L181 

http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/smd.c#L986 

Is it a real bug? Is it enough to add mutex_lock to wcn36xx_set_tx_data?

-- 
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andrianov@...ras.ru

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ