lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 6 May 2020 10:08:49 -0400 (EDT)
From:   Alan Stern <stern@...land.harvard.edu>
To:     Oliver Neukum <oneukum@...e.com>
cc:     syzbot <syzbot+be5b5f86a162a6c281e6@...kaller.appspotmail.com>,
        <andreyknvl@...gle.com>, <gregkh@...uxfoundation.org>,
        <linux-kernel@...r.kernel.org>, <linux-usb@...r.kernel.org>,
        <syzkaller-bugs@...glegroups.com>, <zaitcev@...hat.com>
Subject: Re: KASAN: use-after-free Read in usblp_bulk_read

On Wed, 6 May 2020, Oliver Neukum wrote:

> Am Donnerstag, den 30.04.2020, 11:11 -0400 schrieb Alan Stern:
> 
> > KASAN is documented.  The difficulty is that this race is obviously 
> > hard to trigger, and without the ability to reproduce it we can't run 
> > diagnostics to find the underlying cause.
> > 
> > We can't even ask syzbot to try running tests for us; without a valid 
> > reproducer it won't agree to rerun the original test program.
> 
> 
> Very well. We are not going to find it without exceptional luck. Yet
> there may be a real issue, too. We simply do not know. How about the
> attached patch?

It's okay with me (apart from the typo in the patch description: "UB").

Alan Stern

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ