| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20201014194035.ukduovokggu37uba@skbuf>
Date: Wed, 14 Oct 2020 22:40:35 +0300
From: Vladimir Oltean <olteanv@...il.com>
To: Lukas Wunner <lukas@...ner.de>
Cc: Florian Fainelli <f.fainelli@...il.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
linux-spi <linux-spi@...r.kernel.org>,
Mark Brown <broonie@...nel.org>
Subject: Re: Use after free in bcm2835_spi_remove()
On Wed, Oct 14, 2020 at 04:09:12PM +0200, Lukas Wunner wrote:
> Apparently the problem is that spi_unregister_controller() drops the
> last ref on the controller, causing it to be freed, and afterwards we
> access the controller's private data, which is part of the same
> allocation as struct spi_controller:
>
> bcm2835_spi_remove()
> spi_unregister_controller()
> device_unregister()
> put_device()
> spi_controller_release() # spi_master_class.dev_release()
> kfree(ctlr)
> bcm2835_dma_release(ctlr, bs)
> ...
Also see these threads:
https://lore.kernel.org/linux-spi/20200922112241.GO4792@sirena.org.uk/T/#t
https://lore.kernel.org/linux-spi/270b94fd1e546d0c17a735c1f55500e58522da04.camel@suse.de/T/#u
And here's how _not_ to fix it:
https://lore.kernel.org/linux-spi/160088764365.36195.16185348610086043664.b4-ty@kernel.org/T/#t
At least without some care to not break other things:
https://lore.kernel.org/linux-spi/20200928080432.GC11648@pengutronix.de/T/#t
Powered by blists - more mailing lists