| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9aac6eca-e553-0b49-d5ce-e49029b52fdc@ispras.ru>
Date: Tue, 22 Aug 2017 19:26:23 +0300
From: Anton Volkov <avolkov@...ras.ru>
To: corbet@....net
Cc: mchehab@...nel.org, linux-media@...r.kernel.org,
linux-kernel@...r.kernel.org, ldv-project@...uxtesting.org,
Alexey Khoroshilov <khoroshilov@...ras.ru>
Subject: Possible memory leak in cafe_ccic.ko
Hello.
While searching for races in the Linux kernel I've come across
"drivers/media/platform/marvell-ccic/cafe_ccic.ko" module. Here are
questions that I came up with while analyzing results. Lines are given
using the info from Linux v4.12.
Consider the following case:
Thread 1: Thread 2:
mcam_v4l_release
->mcam_free_dma_bufs
cam->dma_bufs[i] = NULL
cam->nbufs = 0
cafe_pci_resume (mcam-core.c: line 413)
->mccic_resume
->mcam_read_setup
->mcam_alloc_dma_bufs
cam->dma_bufs[i] =
dma_alloc_coherent()
(mcam-core.c: line 381)
It looks like mcam_v4l_release() doesn't really shut the device down. In
this case cafe_pci_resume() leaks memory for cam->dma_bufs[i] after
mcam_v4l_release() freed and poisoned them. Is this feasible from your
point of view?
Thank you for your time.
-- Anton Volkov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: avolkov@...ras.ru
Powered by blists - more mailing lists