| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Aug 2019 15:00:40 -0400 (EDT)
From: Alan Stern <stern@...land.harvard.edu>
To: Prashant Malani <pmalani@...omium.org>
cc: syzbot <syzbot+22ae4e3b9fcc8a5c153a@...kaller.appspotmail.com>,
<andreyknvl@...gle.com>, <gregkh@...uxfoundation.org>,
<gustavo@...eddedor.com>, <linux-kernel@...r.kernel.org>,
<linux-usb@...r.kernel.org>, <syzkaller-bugs@...glegroups.com>
Subject: Re: KASAN: use-after-free Read in usb_kill_urb
On Fri, 9 Aug 2019, Prashant Malani wrote:
> Hi,
>
> I'm trying to get up to speed on USB kernel code. Sounds like
> dev->intf should have been set to NULL for the error path in
> ld_usb_probe() ?
Why should it?
After all, dev gets deallocated at the end of ld_usb_probe(), where
ld_usb_delete() is called. Who cares what value is stored in
deallocated memory?
Alan Stern
Powered by blists - more mailing lists