| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fc719c9c-db6a-9254-2d6d-918946c5a18d@ispras.ru>
Date: Tue, 15 Aug 2017 15:59:50 +0300
From: Anton Volkov <avolkov@...ras.ru>
To: johan@...nel.org, gregkh@...uxfoundation.org,
wsa-dev@...g-engineering.com
Cc: linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
ldv-project@...uxtesting.org,
Alexey Khoroshilov <khoroshilov@...ras.ru>
Subject: Possible null pointer dereference in adutux.ko
Hello.
While searching for races in the Linux kernel I've come across
"drivers/usb/misc/adutux.ko" module. Here is a question that I came up
with while analyzing results. Lines are given using the info from Linux
v4.12.
Consider the following case:
Thread 1: Thread 2:
adu_release
->adu_release_internal adu_disconnect
<READ &dev->udev->dev> dev->udev = NULL
(adutux.c: line 298) (adutux.c: line 771)
usb_deregister_dev
Comments in the source code point at the possibility of adu_release()
being called separately from adu_disconnect(). adu_release() and
adu_disconnect() acquire different mutexes, so they are not protected
from one another. If adu_disconnect() changes dev->udev before its value
is read in adu_release_internal() there will be a NULL pointer
dereference on a read attempt. Is this case feasible from your point of
view?
Thank you for your time.
-- Anton Volkov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: avolkov@...ras.ru
Powered by blists - more mailing lists