| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 06 Jun 2022 12:27:28 +0300
From: Eli Billauer <eli.billauer@...il.com>
To: Zheyu Ma <zheyuma97@...il.com>
CC: arnd@...db.de, gregkh@...uxfoundation.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4] char: xillybus: Check endpoint type at probe time
On 31/05/22 08:44, Zheyu Ma wrote:
> static int xillyusb_setup_base_eps(struct xillyusb_dev *xdev)
> {
> + if (xillyusb_check_endpoint(xdev, IN_EP_NUM | USB_DIR_IN) ||
> + xillyusb_check_endpoint(xdev, MSG_EP_NUM | USB_DIR_OUT))
> + return -EINVAL;
> +
> xdev->msg_ep = endpoint_alloc(xdev, MSG_EP_NUM | USB_DIR_OUT,
> bulk_out_work, 1, 2);
> if (!xdev->msg_ep)
> @@ -1962,6 +1986,10 @@ static int setup_channels(struct xillyusb_dev *xdev,
> chan->out_log2_element_size = out_desc& 0x0f;
> chan->out_log2_fifo_size =
> ((out_desc>> 8)& 0x1f) + 16;
> + if (xillyusb_check_endpoint(xdev, (i+2) | USB_DIR_OUT)) {
> + kfree(xdev->channels);
> + return -EINVAL;
> + }
> }
> }
>
>
I just checked this against hardware, and made it fail deliberately by
replacing the (i+2) part with (i+3). I got a kernel memory corruption,
because xdev->channels was freed twice: Once in the snippet above, and a
second time in cleanup_dev().
So the kfree() call here should go away. xdev->channels is freed when
xdev's reference count goes to zero.
Thanks,
Eli
Powered by blists - more mailing lists