| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20201113171658.GF322940@rowland.harvard.edu>
Date: Fri, 13 Nov 2020 12:16:58 -0500
From: Alan Stern <stern@...land.harvard.edu>
To: John Boero <boeroboy@...il.com>
Cc: Laurent Pinchart <laurent.pinchart@...asonboard.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Felipe Balbi <balbi@...nel.org>, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] usb: core: Null deref in kernel with USB webcams.
On Fri, Nov 13, 2020 at 04:45:52PM +0000, John Boero wrote:
> Sorry I wanted to include a pastebin or link but was trying to follow maillist
> guidelines and not include links or exceed wrap guidelines. Full contents:
> https://paste.centos.org/view/3746bc40
>
> Yes I understand the return dodges the config dereference.
>
> Original line usb.c:281 is the original error:
>
> 280| for (i = 0; i < config->desc.bNumInterfaces; i++)
> 281| if (config->interface[i]->altsetting[0]
> 282| .desc.bInterfaceNumber == ifnum)
> 283| return config->interface[i];
Okay. Without having looked at the code, I would guess that uvcvideo's
uvc_ioctl_streamon() handler -- or some routine beneath it -- either
doesn't lock the USB interface while starting I/O, or doesn't check
(while holding the lock) to see whether the driver has been unbound.
This sort of error (config->interface[i] == NULL) is what you expect to
see if a driver tries to carry out I/O to a device that has been
unplugged and that it has been unbound from.
Alan Stern
Powered by blists - more mailing lists