lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20180618022400.GA1893@hle-laptop.local>
Date:   Sun, 17 Jun 2018 22:24:00 -0400
From:   Hugo Lefeuvre <hle@....eu.com>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     devel@...verdev.osuosl.org,
        Marcus Wolf <linux@...f-entwicklungen.de>,
        linux-kernel@...r.kernel.org
Subject: [PATCH] staging: pi433: fix race condition in pi433_open

Whenever pi433_open and pi433_remove execute concurrently, a race
condition potentially resulting in use-after-free might happen.

Let T1 and T2 be two kernel threads.

1. T1 executes pi433_open and stops before "device->users++".
2. The pi433 device was removed inbetween, so T2 executes pi433_remove
   and frees device because the user count has not been incremented yet.
3. T1 executes "device->users++" (use-after-free).

This race condition happens because the check of minor number and
user count increment does not happen atomically.

Fix: Extend scope of minor_lock in pi433_open().

Signed-off-by: Hugo Lefeuvre <hle@....eu.com>
---
 drivers/staging/pi433/pi433_if.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/pi433/pi433_if.c b/drivers/staging/pi433/pi433_if.c
index 94e0bfcec991..73c511249f7f 100644
--- a/drivers/staging/pi433/pi433_if.c
+++ b/drivers/staging/pi433/pi433_if.c
@@ -957,11 +957,13 @@ static int pi433_open(struct inode *inode, struct file *filp)
 
 	mutex_lock(&minor_lock);
 	device = idr_find(&pi433_idr, iminor(inode));
-	mutex_unlock(&minor_lock);
 	if (!device) {
+		mutex_unlock(&minor_lock);
 		pr_debug("device: minor %d unknown.\n", iminor(inode));
 		return -ENODEV;
 	}
+	device->users++;
+	mutex_unlock(&minor_lock);
 
 	if (!device->rx_buffer) {
 		device->rx_buffer = kmalloc(MAX_MSG_SIZE, GFP_KERNEL);
@@ -969,7 +971,6 @@ static int pi433_open(struct inode *inode, struct file *filp)
 			return -ENOMEM;
 	}
 
-	device->users++;
 	instance = kzalloc(sizeof(*instance), GFP_KERNEL);
 	if (!instance) {
 		kfree(device->rx_buffer);
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ