lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Tue, 22 Aug 2017 19:26:23 +0300
From:   Anton Volkov <avolkov@...ras.ru>
To:     corbet@....net
Cc:     mchehab@...nel.org, linux-media@...r.kernel.org,
        linux-kernel@...r.kernel.org, ldv-project@...uxtesting.org,
        Alexey Khoroshilov <khoroshilov@...ras.ru>
Subject: Possible memory leak in cafe_ccic.ko

Hello.

While searching for races in the Linux kernel I've come across 
"drivers/media/platform/marvell-ccic/cafe_ccic.ko" module. Here are 
questions that I came up with while analyzing results. Lines are given 
using the info from Linux v4.12.

Consider the following case:

Thread 1:                  Thread 2:
                            mcam_v4l_release
                            ->mcam_free_dma_bufs
                                cam->dma_bufs[i] = NULL
                                cam->nbufs = 0
cafe_pci_resume                (mcam-core.c: line 413)
->mccic_resume
   ->mcam_read_setup
     ->mcam_alloc_dma_bufs
       cam->dma_bufs[i] =
          dma_alloc_coherent()
          (mcam-core.c: line 381)

It looks like mcam_v4l_release() doesn't really shut the device down. In 
this case cafe_pci_resume() leaks memory for cam->dma_bufs[i] after 
mcam_v4l_release() freed and poisoned them. Is this feasible from your 
point of view?

Thank you for your time.

-- Anton Volkov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: avolkov@...ras.ru

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ