lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20180412142803.cd235a40155503700dc73b21@linux-foundation.org>
Date:   Thu, 12 Apr 2018 14:28:03 -0700
From:   Andrew Morton <akpm@...ux-foundation.org>
To:     Ioan Nicu <ioan.nicu.ext@...ia.com>
Cc:     Alexandre Bounine <alex.bou9@...il.com>,
        Barry Wood <barry.wood@....com>,
        Matt Porter <mporter@...nel.crashing.org>,
        Christophe JAILLET <christophe.jaillet@...adoo.fr>,
        Al Viro <viro@...iv.linux.org.uk>,
        Logan Gunthorpe <logang@...tatee.com>,
        Chris Wilson <chris@...is-wilson.co.uk>,
        Tvrtko Ursulin <tvrtko.ursulin@...el.com>,
        Frank Kunz <frank.kunz@...ia.com>,
        Alexander Sverdlin <alexander.sverdlin@...ia.com>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] rapidio: fix rio_dma_transfer error handling

On Thu, 12 Apr 2018 17:06:05 +0200 Ioan Nicu <ioan.nicu.ext@...ia.com> wrote:

> Some of the mport_dma_req structure members were initialized late
> inside the do_dma_request() function, just before submitting the
> request to the dma engine. But we have some error branches before
> that. In case of such an error, the code would return on the error
> path and trigger the calling of dma_req_free() with a req structure
> which is not completely initialized. This causes a NULL pointer
> dereference in dma_req_free().
> 
> This patch fixes these error branches by making sure that all
> necessary mport_dma_req structure members are initialized in
> rio_dma_transfer() immediately after the request structure gets
> allocated.

This sounds like something which someone has actually triggered in a
real-world situation.  So I added a cc:stable.  Please let me know if
that was inappropriate.

And please remember to always include all information regarding
end-user impact when fixing bugs.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ