| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 May 2020 18:50:50 +0000
From: "Winkler, Tomas" <tomas.winkler@...el.com>
To: 亿一 <teroincn@...il.com>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [BUG]is there a refcount leak in function mei_me_cl_rm_by_uuid?
> -----Original Message-----
> From: 亿一 <teroincn@...il.com>
> Sent: Wednesday, May 06, 2020 17:47
> To: Winkler, Tomas <tomas.winkler@...el.com>
> Cc: linux-kernel@...r.kernel.org
> Subject: [BUG]is there a refcount leak in function mei_me_cl_rm_by_uuid?
Unfortunately you are correct, but currently it is very hard to hit the issue in real life.
The patch is coming.
Thanks
Tomas
>
> HI, all
> When reviewing function mei_me_cl_rm_by_uuid, I notice that function
> __mei_me_cl_by_uuid increases me_cl refcount and function _mei_me_cl_del
> delete a list node with decrement me_cl refcount , actually here cause a
> refcount leak as we haven't release the refcount by __mei_me_cl_by_uuid ?
> similar issue happens in mei_me_cl_rm_by_uuid_id too.
>
> void mei_me_cl_rm_by_uuid(struct mei_device *dev, const uuid_le *uuid) {
> struct mei_me_client *me_cl;
>
> dev_dbg(dev->dev, "remove %pUl\n", uuid);
>
> down_write(&dev->me_clients_rwsem);
> me_cl = __mei_me_cl_by_uuid(dev, uuid); /* increase a refcount */
> __mei_me_cl_del(dev, me_cl); /* release the refcount with a list node deteled
> */
> up_write(&dev->me_clients_rwsem);
> }
>
> Best regards,
>
> Lin Yi.
Powered by blists - more mailing lists