| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20181022080553.GM2302@lahna.fi.intel.com>
Date: Mon, 22 Oct 2018 11:05:53 +0300
From: Mika Westerberg <mika.westerberg@...ux.intel.com>
To: Wenwen Wang <wang6495@....edu>
Cc: Kangjie Lu <kjlu@....edu>,
Andreas Noever <andreas.noever@...il.com>,
Michael Jamet <michael.jamet@...el.com>,
Yehezkel Bernat <YehezkelShB@...il.com>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] thunderbolt: fix a missing-check bug
On Sat, Oct 20, 2018 at 02:47:49PM -0500, Wenwen Wang wrote:
> In ring_work(), the first while loop is used to collect all completed
> frames from the ring buffer. In each iteration of this loop, the flag of
> the frame, i.e., 'ring->descriptors[ring->tail].flags' is firstly check to
> see whether the frame is completed. If yes, the descriptor of the frame,
> including the flag, is then copied. It is worth noting that the descriptor
> is actually in a DMA region, which is allocated through
> dma_alloc_coherent() in tb_ring_alloc(). Given that the device can also
> access the DMA region, a malicious device controlled by an attacker can
> race to modify the flag of the frame after the check but before the copy.
> By doing so, the attacker can bypass the check and supply uncompleted
> frame, which can cause undefined behavior of the kernel and introduce
> potential security risk.
>
> This patch firstly copies the flag into a local variable 'desc_flags' and
> then performs the check and copy using 'desc_flags'. Through this way, the
> above issue can be avoided.
Ditto :)
Powered by blists - more mailing lists