| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20181022080609.GN2302@lahna.fi.intel.com>
Date: Mon, 22 Oct 2018 11:06:09 +0300
From: Mika Westerberg <mika.westerberg@...ux.intel.com>
To: Wenwen Wang <wang6495@....edu>
Cc: Kangjie Lu <kjlu@....edu>,
Andreas Noever <andreas.noever@...il.com>,
Michael Jamet <michael.jamet@...el.com>,
Yehezkel Bernat <YehezkelShB@...il.com>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] thunderbolt: fix a missing-check bug
On Sat, Oct 20, 2018 at 03:15:56PM -0500, Wenwen Wang wrote:
> In tb_ring_poll(), the flag of the frame, i.e.,
> 'ring->descriptors[ring->tail].flags', is checked to see whether the frame
> is completed. If yes, the frame including the flag will be read from the
> ring and returned to the caller. The problem here is that the flag is
> actually in a DMA region, which is allocated through dma_alloc_coherent()
> in tb_ring_alloc(). Given that the device can also access this DMA region,
> it is possible that a malicious device controlled by an attacker can modify
> the flag between the check and the copy. By doing so, the attacker can
> bypass the check and supply uncompleted frame, which can cause undefined
> behavior of the kernel and introduce potential security risk.
>
> This patch firstly copies the flag into a local variable 'desc_flags' and
> then performs the check and copy using 'desc_flags'. Through this way, the
> above issue can be avoided.
Same here :)
Powered by blists - more mailing lists