| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aa97a9ea-ea55-4c22-8e2f-5929039afaeb@canonical.com>
Date: Tue, 28 Mar 2017 13:52:14 +0100
From: Colin Ian King <colin.king@...onical.com>
To: Felipe Balbi <balbi@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
Michal Nazarewicz <mina86@...a86.com>,
"Gustavo A . R . Silva" <garsilva@...eddedor.com>,
Iago Abal <mail@...oabal.eu>,
Romain Perier <romain.perier@...labora.com>,
linux-usb@...r.kernel.org
Cc: kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] usb: gadget: pch_udc: don't update td->next after it has
been released to the pool
On 28/03/17 13:51, Felipe Balbi wrote:
>
> Hi,
>
> Colin King <colin.king@...onical.com> writes:
>> From: Colin Ian King <colin.king@...onical.com>
>>
>> Writing to td->next should be avoided after td has been freed using
>> dma_pool_free. The intent was to nullify the next pointer, but this
>> is potentially dangerous once it is back in the pool. Remove it.
>>
>> Detected by CoverityScan, CID#1091173 ("Write tp pointer after free")
>>
>> Signed-off-by: Colin Ian King <colin.king@...onical.com>
>> ---
>> drivers/usb/gadget/udc/pch_udc.c | 1 -
>> 1 file changed, 1 deletion(-)
>>
>> diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c
>> index 84dcbcd756f0..08bbe2c24134 100644
>> --- a/drivers/usb/gadget/udc/pch_udc.c
>> +++ b/drivers/usb/gadget/udc/pch_udc.c
>> @@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev *dev,
>> td = phys_to_virt(addr);
>> addr2 = (dma_addr_t)td->next;
>> dma_pool_free(dev->data_requests, td, addr);
>> - td->next = 0x00;
>
> I already have a patch for this, thanks
Ah, I somehow overlooked that. Good to see it is fixed.
Colin
>
> 1f459262b0e1649a1e5ad12fa4c66eb76c2220ce
> Author: Gustavo A. R. Silva <garsilva@...eddedor.com>
> AuthorDate: Fri Mar 10 15:39:32 2017 -0600
> Commit: Felipe Balbi <felipe.balbi@...ux.intel.com>
> CommitDate: Wed Mar 22 11:21:10 2017 +0200
>
> usb: gadget: udc: remove pointer dereference after free
>
> Remove pointer dereference after free.
>
> Addresses-Coverity-ID: 1091173
> Acked-by: Michal Nazarewicz <mina86@...a86.com>
> Signed-off-by: Gustavo A. R. Silva <garsilva@...eddedor.com>
> Signed-off-by: Felipe Balbi <felipe.balbi@...ux.intel.com>
>
> 1 file changed, 1 deletion(-)
> drivers/usb/gadget/udc/pch_udc.c | 1 -
>
> modified drivers/usb/gadget/udc/pch_udc.c
> @@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev *dev,
> td = phys_to_virt(addr);
> addr2 = (dma_addr_t)td->next;
> pci_pool_free(dev->data_requests, td, addr);
> - td->next = 0x00;
> addr = addr2;
> }
> req->chain_len = 1;
>
Powered by blists - more mailing lists