| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Aug 2017 18:12:38 +0300
From: Anton Volkov <avolkov@...ras.ru>
To: bhumirks@...il.com
Cc: gregkh@...uxfoundation.org, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org, ldv-project@...uxtesting.org,
Alexey Khoroshilov <khoroshilov@...ras.ru>
Subject: Possible null pointer dereference in isp1760.ko
Hello.
While searching for races in the Linux kernel I've come across
"drivers/usb/isp1760/isp1760.ko" module. Here is a question that I came
up with while analyzing results. Lines are given using the info from
Linux v4.12.
Consider the following case:
Thread 1: Thread 2:
isp1760_plat_probe
-> isp1760_register
-> isp1760_udc_register
request_irq(...,udc)
-> isp1760_udc_init_eps(udc) isp1760_udc_irq
for(i = 0; ...){ for(i = 0; ...) {
ep = &udc->ep[i] ep = &udc->ep[i%2]
-> isp1760_ep_rx_ready(ep)
INIT_LIST_HEAD(ep->queue) list_empty(&ep->queue)
(isp1760-udc.c: line 1367) (isp1760-udc.c: line 303)
As far as I understand ep->queue is NULL before its initialization in
isp1760_udc_init_eps and list_empty() tries to access the '->next'
pointer member of the passed parameter.
Is this case possible from your point of view?
Thank you for your time.
-- Anton Volkov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: avolkov@...ras.ru
Powered by blists - more mailing lists