lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1574938260.21204.5.camel@suse.com>
Date:   Thu, 28 Nov 2019 11:51:00 +0100
From:   Oliver Neukum <oneukum@...e.com>
To:     Alan Stern <stern@...land.harvard.edu>,
        syzbot <syzbot+9ca7a12fd736d93e0232@...kaller.appspotmail.com>
Cc:     andreyknvl@...gle.com, hverkuil@...all.nl,
        linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
        linux-usb@...r.kernel.org, mchehab@...nel.org,
        syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in si470x_int_in_callback (2)

Am Mittwoch, den 27.11.2019, 13:07 -0500 schrieb Alan Stern:
> Index: usb-devel/drivers/media/radio/si470x/radio-si470x-usb.c
> ===================================================================
> --- usb-devel.orig/drivers/media/radio/si470x/radio-si470x-usb.c
> +++ usb-devel/drivers/media/radio/si470x/radio-si470x-usb.c
> @@ -370,15 +370,14 @@ static void si470x_int_in_callback(struc
>         unsigned char tmpbuf[3];
>  
>         if (urb->status) {
> -               if (urb->status == -ENOENT ||
> +               if (!(urb->status == -ENOENT ||
>                                 urb->status == -ECONNRESET ||
> -                               urb->status == -ESHUTDOWN) {
> -                       return;
> -               } else {
> +                               urb->status == -ESHUTDOWN))
>                         dev_warn(&radio->intf->dev,
> -                        "non-zero urb status (%d)\n", urb->status);
> -                       goto resubmit; /* Maybe we can recover. */
> -               }
> +                                       "unrecognized urb status (%d)\n",
> +                                       urb->status);
> +               radio->int_in_running = 0;
> +               return;

Hi,

it is a bit awkward to complain here, as your patch tests as correct
while mine didn't, but this is a race condition.
You can't guarantee that urb->status != 0.
The kill may happen while the completion handler is running for
a successful transfer.

I really appreciate your help, but I must understand what is going
wrong here. You are stopping the resubmit, but how could the resubmit
ever have not failed?

	Regards
		Oliver

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ