lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Apr 2022 17:51:15 +0300 From: Andy Shevchenko <andy.shevchenko@...il.com> To: Dongliang Mu <dzm91@...t.edu.cn> Cc: Oliver Neukum <oliver@...kum.org>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Dongliang Mu <mudongliangabcd@...il.com>, syzbot+eabbf2aaa999cc507108@...kaller.appspotmail.com, USB <linux-usb@...r.kernel.org>, netdev <netdev@...r.kernel.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] driver: usb: nullify dangling pointer in cdc_ncm_free On Sun, Apr 10, 2022 at 5:14 AM Dongliang Mu <dzm91@...t.edu.cn> wrote: > > From: Dongliang Mu <mudongliangabcd@...il.com> > > cdc_ncm_bind calls cdc_ncm_bind_common and sets dev->data[0] > with ctx. However, in the unbind function - cdc_ncm_unbind, > it calls cdc_ncm_free and frees ctx, leaving dev->data[0] as > a dangling pointer. The following ioctl operation will trigger > the UAF in the function cdc_ncm_set_dgram_size. First of all, please use the standard form of referring to the func() as in this sentence. > Fix this by setting dev->data[0] as zero. > > ================================================================== > BUG: KASAN: use-after-free in cdc_ncm_set_dgram_size+0xc91/0xde0 > Read of size 8 at addr ffff8880755210b0 by task dhcpcd/3174 > Please, avoid SO noisy commit messages. Find the core part of the traceback(s) which should be rarely more than 5-10 lines. ... The code seems fine. -- With Best Regards, Andy Shevchenko
Powered by blists - more mailing lists