| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Apr 2022 17:51:15 +0300
From: Andy Shevchenko <andy.shevchenko@...il.com>
To: Dongliang Mu <dzm91@...t.edu.cn>
Cc: Oliver Neukum <oliver@...kum.org>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Dongliang Mu <mudongliangabcd@...il.com>,
syzbot+eabbf2aaa999cc507108@...kaller.appspotmail.com,
USB <linux-usb@...r.kernel.org>, netdev <netdev@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] driver: usb: nullify dangling pointer in cdc_ncm_free
On Sun, Apr 10, 2022 at 5:14 AM Dongliang Mu <dzm91@...t.edu.cn> wrote:
>
> From: Dongliang Mu <mudongliangabcd@...il.com>
>
> cdc_ncm_bind calls cdc_ncm_bind_common and sets dev->data[0]
> with ctx. However, in the unbind function - cdc_ncm_unbind,
> it calls cdc_ncm_free and frees ctx, leaving dev->data[0] as
> a dangling pointer. The following ioctl operation will trigger
> the UAF in the function cdc_ncm_set_dgram_size.
First of all, please use the standard form of referring to the func()
as in this sentence.
> Fix this by setting dev->data[0] as zero.
>
> ==================================================================
> BUG: KASAN: use-after-free in cdc_ncm_set_dgram_size+0xc91/0xde0
> Read of size 8 at addr ffff8880755210b0 by task dhcpcd/3174
>
Please, avoid SO noisy commit messages. Find the core part of the
traceback(s) which should be rarely more than 5-10 lines.
...
The code seems fine.
--
With Best Regards,
Andy Shevchenko
Powered by blists - more mailing lists