lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1966479.zaHQfZ4vb1@avalon>
Date:   Wed, 09 Aug 2017 10:58:28 +0300
From:   Laurent Pinchart <laurent.pinchart@...asonboard.com>
To:     Kuninori Morimoto <kuninori.morimoto.gx@...esas.com>
Cc:     Anton Volkov <avolkov@...ras.ru>,
        Linux-Kernel <linux-kernel@...r.kernel.org>,
        Alexey Khoroshilov <khoroshilov@...ras.ru>,
        ldv-project@...uxtesting.org, dmaengine@...r.kernel.org,
        vinod.koul@...el.com, geert+renesas@...der.be,
        niklas.soderlund+renesas@...natech.se
Subject: Re: Possible null pointer dereference in rcar-dmac.ko

Hello,

On Wednesday 09 Aug 2017 00:49:40 Kuninori Morimoto wrote:
> Hi Anton
> 
> # add Laurent
> 
> > While searching for races in the Linux kernel I've come across
> > "drivers/dma/sh/rcar-dmac.ko" module. Here is a question that I came
> > up with while analyzing results. Lines are given using the info from
> > Linux v4.12.
> > 
> > Consider the following case:
> > 
> > Thread 1:                            Thread 2:
> > rcar_dmac_probe
> > ->rcar_dmac_chan_probe
> > 
> >              (&dmac->channels[i])
> >     
> >     rchan = &dmac->channels[i]
> >     chan = &rchan->chan
> >     devm_request_threaded_irq(rchan)
> >     chan->device = &dmac->engine    rcar_dmac_isr_channel
> >     
> >                                     ->rcar_dmac_isr_transfer_end(chan)
> >                                     
> >                                       ->rcar_dmac_chan_start_xfer(chan)
> >   
> >   engine->dev = &pdev->dev;               <READ chan->chan.device->dev>
> >   (rcar-dmac.c: line 1828)                (rcar-dmac.c: line 351)
> > 
> > As far as I understand engine->dev is NULL before its initialization
> > in probe. Thus there might be a NULL pointer dereference in
> > rcar_dmac_chan_start_xfer while accessing chan->chan.device->dev which
> > is equal to (&dmac->engine)->dev. Is this possible from your point of
> > view?
> 
> Very rare case, but not impossible (?).
> I think these engine->xxx initialize should be done before
> of_dma_controller_register();
> engine.channels is initialized independently somehow...

There should be no interrupt pending at the time the interrupt handler is 
registered, but to be safe it's indeed a good practice to register the 
interrupt handler after everything else has been initialized. Patches are 
welcome :-)

-- 
Regards,

Laurent Pinchart

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ