lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <0be1372b-7266-d660-676b-4693d8e202c9@ispras.ru>
Date:   Fri, 18 Aug 2017 17:15:58 +0300
From:   Anton Volkov <avolkov@...ras.ru>
To:     amax@...ibm.com
Cc:     arnd@...db.de, gregkh@...uxfoundation.org,
        linux-kernel@...r.kernel.org, ldv-project@...uxtesting.org,
        Alexey Khoroshilov <khoroshilov@...ras.ru>
Subject: Possible race in ibmasm.ko

Hello.

While searching for races in the Linux kernel I've come across
"drivers/misc/ibmasm/ibmasm.ko" module. Here is a question that I came 
up with while analyzing results. Lines are given using the info from 
Linux v4.12.

Consider the following case:

Thread 1:                        Thread 2:
ibmasm_interrupt_handler
->ibmasm_receive_message
  ->ibmasm_receive_event         event_file_open
     buffer = sp->event_buffer   ->ibmasm_event_reader_register
     buffer->next_serial_number++    sp->event_buffer->next_serial_number
     (event.c: line 73)              (event.c: line 133)

There is a possibility of event serial_number clash if in 
ibmasm_event_reader_register value of next_serial_number field is read 
before the assignment happens. This is possible only if the readers can 
dynamically subscribe to an event. Is this case feasible from your point 
of view?

Thank you for your time.

-- Anton Volkov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: avolkov@...ras.ru

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ