| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <nycvar.YFH.7.76.2201191559280.28059@cbobk.fhfr.pm>
Date: Wed, 19 Jan 2022 15:59:47 +0100 (CET)
From: Jiri Kosina <jikos@...nel.org>
To: Jann Horn <jannh@...gle.com>
cc: David Rheinsberg <david.rheinsberg@...il.com>,
Benjamin Tissoires <benjamin.tissoires@...hat.com>,
linux-input@...r.kernel.org,
Roderick Colenbrander <roderick.colenbrander@...y.com>,
linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH 1/2] HID: uhid: Fix worker destroying device without any
protection
On Fri, 14 Jan 2022, Jann Horn wrote:
> uhid has to run hid_add_device() from workqueue context while allowing
> parallel use of the userspace API (which is protected with ->devlock).
> But hid_add_device() can fail. Currently, that is handled by immediately
> destroying the associated HID device, without using ->devlock - but if
> there are concurrent requests from userspace, that's wrong and leads to
> NULL dereferences and/or memory corruption (via use-after-free).
>
> Fix it by leaving the HID device as-is in the worker. We can clean it up
> later, either in the UHID_DESTROY command handler or in the ->release()
> handler.
>
> Cc: stable@...r.kernel.org
> Fixes: 67f8ecc550b5 ("HID: uhid: fix timeout when probe races with IO")
> Signed-off-by: Jann Horn <jannh@...gle.com>
I've queued both patches for 5.17, thanks a lot for fixing this.
--
Jiri Kosina
SUSE Labs
Powered by blists - more mailing lists