| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 May 2020 10:18:23 +0200
From: Jürgen Groß <jgross@...e.com>
To: Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Marek Marczykowski-Górecki
<marmarek@...isiblethingslab.com>
Cc: xen-devel@...ts.xenproject.org, linux-kernel@...r.kernel.org,
Stefano Stabellini <sstabellini@...nel.org>,
stable@...r.kernel.org
Subject: Re: [PATCH] xen/events: avoid NULL pointer dereference in
evtchn_from_irq()
On 21.05.20 23:57, Boris Ostrovsky wrote:
> On 5/21/20 2:46 PM, Marek Marczykowski-Górecki wrote:
>> On Thu, May 21, 2020 at 01:22:03PM -0400, Boris Ostrovsky wrote:
>>> On 3/19/20 3:14 AM, Juergen Gross wrote:
>>>> There have been reports of races in evtchn_from_irq() where the info
>>>> pointer has been NULL.
>>>>
>>>> Avoid that case by testing info before dereferencing it.
>>>>
>>>> In order to avoid accessing a just freed info structure do the kfree()
>>>> via kfree_rcu().
>>>
>>> Looks like noone ever responded to this.
>>>
>>>
>>> This change looks fine but is there a background on the problem? I
>>> looked in the archives and didn't find the relevant discussion.
>> Here is the original bug report:
>> https://xen.markmail.org/thread/44apwkwzeme4uavo
>>
>
>
> Thanks. Do we know what the race is? Is it because an event is being
> delivered from a dying guest who is in the process of tearing down event
> channels?
Missing synchronization between event channel (de-)allocation and
handling.
I have a patch sitting here, just didn't have the time to do some proper
testing and sending it out.
Juergen
Powered by blists - more mailing lists