| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <660deb7a-53d0-133c-02dc-c9b4a0de9ae6@ispras.ru>
Date: Tue, 22 Aug 2017 17:51:14 +0300
From: Anton Volkov <avolkov@...ras.ru>
To: lucht@...emercs.com, johan@...nel.org
Cc: Greg KH <gregkh@...uxfoundation.org>, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org, ldv-project@...uxtesting.org,
Alexey Khoroshilov <khoroshilov@...ras.ru>
Subject: Possible double free in iowarrior.ko
Hello.
While searching for races in the Linux kernel I've come across
"drivers/usb/misc/iowarrior.ko" module. Here are questions that I came
up with while analyzing results. Lines are given using the info from
Linux v4.12.
Consider the following case:
Thread 1: Thread 2:
iowarrior_release iowarrior_disconnect
mutex_lock(&dev->mutex)
dev->present = 0
(iowarrior.c: line 889)
mutex_lock(&dev->mutex) mutex_unlock(&dev->mutex)
dev->opened = 0
(iowarrior.c: line 666) if(dev->opened){
if(dev->present){ //dev->opened == 0
//dev->present ==0
} else { } else {
mutex_unlock(&dev->mutex) iowarrior_delete(dev)
iowarrior_delete(dev) }
}
In this case double free of several pointers inside iowarrior_delete
becomes possible and no calls to usb_kill_urb() and
wake_up_interruptible() are present. Is this feasible from your point of
view? If so, maybe it is a good idea to move mutex_unlock(&dev->mutex)
in iowarrior_disconnect() further down like in iowarrior_release() in
both 'if' branches?
Thank you for your time
-- Anton Volkov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: avolkov@...ras.ru
Powered by blists - more mailing lists