lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20190107085724.GC26384@kroah.com>
Date:   Mon, 7 Jan 2019 09:57:24 +0100
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Jia-Ju Bai <baijiaju1990@...il.com>
Cc:     arnd@...db.de, viro@...iv.linux.org.uk,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [BUG] char: pcmcia: a possible concurrency double-free bug in
 rx_alloc_buffers()

On Mon, Jan 07, 2019 at 04:12:22PM +0800, Jia-Ju Bai wrote:
> In drivers/char/pcmcia/synclink_cs.c, the functions mgslpc_open() and hdlcdev_open() can be concurrently executed.
> 
> hdlcdev_open
>   startup
>     claim_resources
>       rx_alloc_buffers
>         line 2641: kfree(info->rx_buf)
> 
> mgslpc_open
>   startup
>     claim_resources
>       rx_alloc_buffers
>         line 2641: kfree(info->rx_buf)
> 
> Thus, a possible concurrency double-free bug may occur.

Wait, are you sure those really are the same structure, and that those
two functions can be called at the same time?  That is a tty and a
network device, are they both created at the same time or does opening
one create the other?

It's not obvious in looking at the code if this really is the same
structure or not, how did your tool figure it out?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ