lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20181226135618.12784-1-baijiaju1990@gmail.com>
Date:   Wed, 26 Dec 2018 21:56:18 +0800
From:   Jia-Ju Bai <baijiaju1990@...il.com>
To:     benh@...nel.crashing.org, dhowells@...hat.com, joel@....id.au,
        eajames@...ux.vnet.ibm.com, andrew@...id.au
Cc:     linux-kernel@...r.kernel.org, Jia-Ju Bai <baijiaju1990@...il.com>
Subject: [PATCH] fsi:fsi-sbefifo: Fix possible concurrency use-after-free bugs in sbefifo_user_release

In drivers/fsi/fsi-sbefifo.c, the functions sbefifo_user_release(), 
sbefifo_user_read() and sbefifo_user_write() may be concurrently executed.

sbefifo_user_release()
  sbefifo_release_command()
    vfree(user->pending_cmd);

sbefifo_user_read()
  mutex_lock();
  rc = __sbefifo_submit(sbefifo, user->pending_cmd, ...);

sbefifo_user_write()
  mutex_lock();
  user->pending_cmd = user->cmd_page;
  user->pending_cmd = vmalloc(len);

Thus, possible concurrency use-after-free bugs may occur in
sbefifo_user_release().

To fix these bugs, the calls to mutex_lock() and mutex_unlock() are
added in sbefifo_user_release().


Signed-off-by: Jia-Ju Bai <baijiaju1990@...il.com>
---
 drivers/fsi/fsi-sbefifo.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/fsi/fsi-sbefifo.c b/drivers/fsi/fsi-sbefifo.c
index d92f5b87c251..e278a9014b8f 100644
--- a/drivers/fsi/fsi-sbefifo.c
+++ b/drivers/fsi/fsi-sbefifo.c
@@ -900,8 +900,10 @@ static int sbefifo_user_release(struct inode *inode, struct file *file)
 	if (!user)
 		return -EINVAL;
 
+	mutex_lock(&user->file_lock);
 	sbefifo_release_command(user);
 	free_page((unsigned long)user->cmd_page);
+	mutex_unlock(&user->file_lock);
 	kfree(user);
 
 	return 0;
-- 
2.17.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ