| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <59D227AB.30906@linux.intel.com>
Date: Mon, 2 Oct 2017 14:48:59 +0300
From: Mathias Nyman <mathias.nyman@...ux.intel.com>
To: Jeffy Chen <jeffy.chen@...k-chips.com>,
linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-usb@...r.kernel.org, Mathias Nyman <mathias.nyman@...el.com>
Subject: Re: [PATCH v2] xhci: Cleanup current_cmd in
xhci_cleanup_command_queue()
On 29.09.2017 14:07, Jeffy Chen wrote:
> KASAN reported use-after-free bug when xhci host controller died:
> [ 176.952537] BUG: KASAN: use-after-free in xhci_handle_command_timeout+0x68/0x224
> [ 176.960846] Write of size 4 at addr ffffffc0cbb01608 by task kworker/3:3/1680
> ...
> [ 177.180644] Freed by task 0:
> [ 177.183882] kasan_slab_free+0x90/0x15c
> [ 177.188194] kfree+0x114/0x28c
> [ 177.191630] xhci_cleanup_command_queue+0xc8/0xf8
> [ 177.196916] xhci_hc_died+0x84/0x358
>
> Problem here is that when the cmd_timer fired, it would try to access
> current_cmd while the command queue is already freed by xhci_hc_died().
>
> Cleanup current_cmd in xhci_cleanup_command_queue() to avoid that.
>
> Fixes: d9f11ba9f107 ("xhci: Rework how we handle unresponsive or hoptlug removed hosts")
> Signed-off-by: Jeffy Chen <jeffy.chen@...k-chips.com>
> ---
>
>
Thanks, adding patch to queue
-Mathias
Powered by blists - more mailing lists