| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 8 May 2021 19:04:55 +0300
From: Yuri Savinykh <s02190703@....cs.msu.ru>
To: Michael Tretter <m.tretter@...gutronix.de>
Cc: Yuri Savinykh <s02190703@....cs.msu.ru>,
Pengutronix Kernel Team <kernel@...gutronix.de>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
ldv-project@...uxtesting.org
Subject: [bug report] media: allegro: possible NULL pointer dereference.
Hello,
At the moment of enabling irq handling:
3166 ret = devm_request_threaded_irq(&pdev->dev, irq,
3167 allegro_hardirq,
3168 allegro_irq_thread,
3169 IRQF_SHARED, dev_name(&pdev->dev), dev);
there is still uninitialized field mbox_status of struct allegro_dev *dev.
If an interrupt occurs in the interval between the installation of the
interrupt handler and the initialization of this field, NULL pointer
dereference happens.
This field is dereferenced in the handler function without any check:
1801 static irqreturn_t allegro_irq_thread(int irq, void *data)
1802 {
1803 struct allegro_dev *dev = data;
1804
1805 allegro_mbox_notify(dev->mbox_status);
and then:
752 static void allegro_mbox_notify(struct allegro_mbox *mbox)
753 {
754 struct allegro_dev *dev = mbox->dev;
The initialization of the mbox_status field happens asynchronously in
allegro_fw_callback() via allegro_mcu_hw_init().
Is it guaranteed that an interrupt does not occur in this interval?
If it is not, is it better to move interrupt handler installation
after initialization of this field has been completed?
Found by Linux Driver Verification project (linuxtesting.org).
Powered by blists - more mailing lists