lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 14 Jul 2020 11:32:56 +0200
From:   Thierry Reding <thierry.reding@...il.com>
To:     Jon Hunter <jonathanh@...dia.com>
Cc:     Mathias Nyman <mathias.nyman@...el.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-tegra@...r.kernel.org, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org
Subject: Re: [PATCH 2/2] usb: tegra: Fix zero length memory allocation

On Sun, Jul 12, 2020 at 11:28:37AM +0100, Jon Hunter wrote:
> After commit cad064f1bd52 ("devres: handle zero size in devm_kmalloc()")
> was added system suspend started failing on Tegra186. The kernel log
> showed that the Tegra XHCI driver was crashing on entry to suspend when
> attemptin the save the USB context. The problem is caused because we
> are trying to allocate a zero length array for the IPFS context on
> Tegra186 and following commit cad064f1bd52 ("devres: handle zero size
> in devm_kmalloc()") this now causes a NULL pointer deference crash
> when we try to access the memory. Fix this by only allocating memory
> for both the IPFS and FPCI contexts when required.
> 
> Cc: stable@...r.kernel.org
> 
> Fixes: 5c4e8d3781bc ("usb: host: xhci-tegra: Add support for XUSB context save/restore")
> 
> Signed-off-by: Jon Hunter <jonathanh@...dia.com>
> ---
>  drivers/usb/host/xhci-tegra.c | 22 ++++++++++++++--------
>  1 file changed, 14 insertions(+), 8 deletions(-)

Actually it would seem to me that this is no longer a bug after your fix
in patch 1. We only ever access tegra->context.ipfs if
tegra->soc->ipfs.num_offsets > 0, so the special ZERO_SIZE_PTR case will
not actually cause an issue anymore.

The reason why this was crashing was because tegra->context.fpci was
allocated with a zero size (because of the bug that you fixed in patch
1) and then that zero-size pointer was dereferenced because the code was
correctly checking for tegra->soc->fpci.num_offsets > 0 in the context
save and restore.

So I don't think there's a bug here. It's not wrong to allocate a zero-
size buffer. It's only a bug to then go and dereference it. Are you
still seeing the issue if you leave out this patch and only apply patch
1?

Thierry

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists