| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 5 Aug 2019 14:24:18 +0200 (CEST)
From: Jiri Kosina <jikos@...nel.org>
To: Hillf Danton <hdanton@...a.com>
cc: syzbot <syzbot+62a1e04fd3ec2abf099e@...kaller.appspotmail.com>,
andreyknvl@...gle.com, benjamin.tissoires@...hat.com,
linux-input@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-usb@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in hiddev_release
On Mon, 5 Aug 2019, Hillf Danton wrote:
> 1, no dev no open.
>
> --- a/drivers/hid/usbhid/hiddev.c
> +++ b/drivers/hid/usbhid/hiddev.c
> @@ -284,6 +284,10 @@ static int hiddev_open(struct inode *ino
> spin_unlock_irq(&list->hiddev->list_lock);
>
> mutex_lock(&hiddev->existancelock);
> + if (!list->hiddev->exist) {
> + res = -ENODEV;
> + goto bail_unlock;
> + }
> if (!list->hiddev->open++)
> if (list->hiddev->exist) {
> struct hid_device *hid = hiddev->hid;
> --
>
> 2, list_del before vfree.
>
> --- a/drivers/hid/usbhid/hiddev.c
> +++ b/drivers/hid/usbhid/hiddev.c
> @@ -300,6 +304,9 @@ bail_normal_power:
> hid_hw_power(hid, PM_HINT_NORMAL);
> bail_unlock:
> mutex_unlock(&hiddev->existancelock);
> + spin_lock_irq(&list->hiddev->list_lock);
> + list_del(&list->node);
> + spin_unlock_irq(&list->hiddev->list_lock);
> bail:
> file->private_data = NULL;
> vfree(list);
Hilf,
both patches look good to me. Could you please resend them properly so
that I could apply them? Thanks,
--
Jiri Kosina
SUSE Labs
Powered by blists - more mailing lists