| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Aug 2017 19:00:05 +0300
From: Anton Vasilyev <vasilyev@...ras.ru>
To: Alan Stern <stern@...land.harvard.edu>
Cc: Felipe Balbi <balbi@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Jussi Kivilinna <jussi.kivilinna@...tian.com>,
Peter Senna Tschudin <peter.senna@...labora.com>,
Raz Manor <Raz.Manor@...ens.com>,
Romain Perier <romain.perier@...labora.com>,
linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
ldv-project@...uxtesting.org
Subject: Re: [PATCH] udc: Memory leak on error path and use after free
On 16.08.2017 18:29, Alan Stern wrote:
> On Wed, 16 Aug 2017, Anton Vasilyev wrote:
>
>> gadget_release() is responsible for cleanup dev memory.
>> But if net2280_probe() fails after dev allocation, then
>> gadget_release() become unregistered and dev memory leaks.
>
> This isn't needed if usb_add_gadget_udc_release() is fixed, right?
>
No, this situation could appear before call
usb_add_gadget_udc_release().
>> Also net2280_remove() calls usb_del_gadget_udc() which
>> perform schedule_delayed_work() with gadget_release(), so
>> it is possible that dev will be deallocated exactly after
>> this call and leads to use after free.
>
> Where is there a possible use after free?
>
net2280_remove() continue work with struct net2280 *dev after call
usb_del_gadget_udc(&dev->gadget), but this net2280 *dev could be
deallocated by gadget_release()
>> The patch moves deallocation from gadget_release() to
>> net2280_remove().
>
> Alan Stern
>
--
Anton Vasilyev
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: vasilyev@...ras.ru
Powered by blists - more mailing lists