lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Apr 2018 08:53:21 +0300 From: Dan Carpenter <dan.carpenter@...cle.com> To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Sun Peng <sun_peng@...sec.com.cn> Cc: Jiri Slaby <jslaby@...e.com>, linux-kernel@...r.kernel.org, security@...nel.org, Tony Lindgren <tony@...mide.com>, Lars Poeschel <poeschel@...onage.de>, Sascha Hauer <s.hauer@...gutronix.de> Subject: [PATCH 2/4] tty: n_gsm: Prevent a potential use after free We're freeing the gsm->dlci[] array elements but leaving the freed pointers hanging around. My concern here is if we use the ioctl to change the config, it triggers a restart in gsmld_config(). In that case, we would only reset the first ->dlci[0] element and not the others so it does look to me like a possible use after free. Reported-by: Sun Peng <sun_peng@...sec.com.cn> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com> diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index cc7f68814200..1f2fd9e76fe0 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -2075,9 +2075,11 @@ static void gsm_cleanup_mux(struct gsm_mux *gsm) /* Free up any link layer users */ mutex_lock(&gsm->mutex); - for (i = 0; i < NUM_DLCI; i++) + for (i = 0; i < NUM_DLCI; i++) { if (gsm->dlci[i]) gsm_dlci_release(gsm->dlci[i]); + gsm->dlci[i] = NULL; + } mutex_unlock(&gsm->mutex); /* Now wipe the queues */ list_for_each_entry_safe(txq, ntxq, &gsm->tx_list, list)
Powered by blists - more mailing lists