lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 24 Jul 2017 15:30:36 +0300
From:   Anton Volkov <avolkov@...ras.ru>
To:     ldewangan@...dia.com
Cc:     jonathanh@...dia.com, broonie@...nel.org, thierry.reding@...il.com,
        linux-spi@...r.kernel.org, linux-tegra@...r.kernel.org,
        linux-kernel@...r.kernel.org, ldv-project@...uxtesting.org,
        khoroshilov@...ras.ru
Subject: Possible race in spi-tegra114.ko

Hello.
While searching for races in Linux kernel I've come across 
drivers/spi/spi-tegra114.ko module. Here is the question that I came up 
with while analysing results. Lines are given using the info from Linux 
v4.12.

Consider the following case:
Thread 1:                                  Thread 2:
tegra_spi_probe
   -> request_threaded_irq
       (spi-tegra114.c: line 1070)
   ------------interrupt comes------------- tegra_spi_isr_thread
                                              -> handle_dma_based_xfer
                                                   -> 
tegra_spi_start_dma_based_transfer
                                                        -> 
tegra_spi_copy_client_txbuf_to_spi_txbuf
                                                             -> 
dma_sync_single_for_cpu(tspi->dev, tspi->tx_dma_phys, ...) 
(spi-tegra114.c: line 368)
   -> tspi->tx_dma_phys = ...
      (spi-tegra114.c: line 621 or 625)

If the situation above is feasible then the value of tspi->tx_dma_phys 
(which is 0) is passed to dma_sync_single_for_cpu and further down the 
callstack. This is probably not good.
Note that other fields of tspi structure can also be affected using the 
similar templates.
Similar cases can occur also for tspi structure in 
drivers/spi/spi-tegra20-slink.ko module and for tsd structure in 
drivers/spi/spi-tegra20-sflash.ko module.
So the question is: is there a possibility of interrupt triggering 
before the registration of master (spi-tegra114.c: line 1125) or a write 
to tspi->def_command1_reg (spi-tegra114.c: line 1121)?

Thank you for your time.

-- Anton Volkov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: avolkov@...ras.ru <mailto:avolkov@...ras.ru>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ