| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1927662.l0xhZ6GL0u@debian64>
Date: Wed, 21 Sep 2016 18:29:26 +0200
From: Christian Lamparter <chunkeey@...glemail.com>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: Christian Lamparter <chunkeey@...glemail.com>,
Kalle Valo <kvalo@...eaurora.org>,
linux-kernel@...r.kernel.org, linux-wireless@...r.kernel.org,
b43-dev@...ts.infradead.org, Nicolai Stange <nicstange@...il.com>,
Ben Greear <greearb@...delatech.com>,
Larry Finger <Larry.Finger@...inger.net>
Subject: Re: [PATCH 2/4] carl9170: fix debugfs crashes
On Wednesday, September 21, 2016 12:13:25 PM CEST Greg KH wrote:
> On Sat, Sep 17, 2016 at 09:43:02PM +0200, Christian Lamparter wrote:
> > Ben Greear reported:
> > > I see lots of instability as soon as I load up the carl9710 NIC.
> > > My application is going to be poking at it's debugfs files...
> > >
> > > BUG: KASAN: slab-out-of-bounds in carl9170_debugfs_read+0xd5/0x2a0
> > > [carl9170] at addr ffff8801bc1208b0
> > > Read of size 8 by task btserver/5888
> > > =======================================================================
> > > BUG kmalloc-256 (Tainted: G W ): kasan: bad access detected
> > > -----------------------------------------------------------------------
> > >
> > > INFO: Allocated in seq_open+0x50/0x100 age=2690 cpu=2 pid=772
> > >...
> >
> > This breakage was caused by the introduction of intermediate
> > fops in debugfs by commit 9fd4dcece43a
> > ("debugfs: prevent access to possibly dead file_operations at file open")
> >
> > Thankfully, the original/real fops are still available in d_fsdata.
> >
> > Reported-by: Ben Greear <greearb@...delatech.com>
> > Reviewed-by: Nicolai Stange <nicstange@...il.com>
> > Signed-off-by: Christian Lamparter <chunkeey@...il.com>
> > Acked-by: Kalle Valo <kvalo@...eaurora.org>
> > Cc: stable <stable@...r.kernel.org> # 4.7+
> > ---
> > drivers/net/wireless/ath/carl9170/debug.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/net/wireless/ath/carl9170/debug.c b/drivers/net/wireless/ath/carl9170/debug.c
> > index 01a0919..ad7ffd5 100644
> > --- a/drivers/net/wireless/ath/carl9170/debug.c
> > +++ b/drivers/net/wireless/ath/carl9170/debug.c
> > @@ -75,7 +75,7 @@ static ssize_t carl9170_debugfs_read(struct file *file, char __user *userbuf,
> >
> > if (!ar)
> > return -ENODEV;
> > - dfops = container_of(file->f_path.dentry->d_fsdata,
> > + dfops = container_of(debugfs_real_fops(file),
> > struct carl9170_debugfs_fops, fops);
> >
> > if (!dfops->read)
> > @@ -128,7 +128,7 @@ static ssize_t carl9170_debugfs_write(struct file *file,
> >
> > if (!ar)
> > return -ENODEV;
> > - dfops = container_of(file->f_path.dentry->d_fsdata,
> > + dfops = container_of(debugfs_real_fops(file),
> > struct carl9170_debugfs_fops, fops);
> > if (!dfops->write)
> > return -ENOSYS;
>
> What tree is this against? I can't apply it to 4.8-rc5, or 4.8-rc7, are
> you sure it is still needed?
---
Yes, the patch is needed. That said I screwed this patch up and as a result
it is faulty. I'll send out v2 shortly
Thanks,
Christian
Powered by blists - more mailing lists