lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <bb97600c-c865-10ab-fdb9-861c5423ddb0@gmail.com>
Date:   Wed, 30 Mar 2022 21:46:11 +0300
From:   Pavel Skripkin <paskripkin@...il.com>
To:     syzbot <syzbot+99d6c66dbbc484f50e1c@...kaller.appspotmail.com>,
        linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
        mchehab@...nel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] KASAN: use-after-free Read in em28xx_init_extension (2)

On 3/30/22 20:36, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    52d543b5497c Merge tag 'for-linus-5.17-1' of https://githu..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17b804fb700000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=7094767cefc58fb9
> dashboard link: https://syzkaller.appspot.com/bug?extid=99d6c66dbbc484f50e1c
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=161c4739700000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16432d51700000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+99d6c66dbbc484f50e1c@...kaller.appspotmail.com
> 
> em28xx 5-1:0.130: Config register raw data: 0xfffffffb
> em28xx 5-1:0.130: AC97 chip type couldn't be determined
> em28xx 5-1:0.130: No AC97 audio processor
> ==================================================================
> BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26
> Read of size 8 at addr ffff888027458250 by task kworker/1:1/40
> 


Just want to warn anyone looking into this bug.

I came up with the fix, that passed syzbot testing and patch has been in 
Linus' tree for couple of months: see commit 2c98b8a3458d ("media: 
em28xx: add missing em28xx_close_extension").

After some time Maximilian sent a report about kernel hung bug caused by 
my fix [1]. Just random hung caused by wrong reference counting 
somewhere. No idea how to reproduce it locally or how to fix it.

I had to revert my fix, of course. That's why this bug appeared one more 
time.

So, if you are going to send a fix, please, check that it does not have 
same problem as mine.

Thanks


[1] 
https://lore.kernel.org/all/6a72a37b-e972-187d-0322-16336e12bdc5@elbmurf.de/ 



With regards,
Pavel Skripkin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ