lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <d28d59c1-1ed0-422b-b749-0082de05e7ee@www.fastmail.com>
Date:   Fri, 16 Sep 2022 08:59:44 +0200
From:   "Arnd Bergmann" <arnd@...db.de>
To:     "Hyunwoo Kim" <imv4bel@...il.com>,
        "Lubomir Rintel" <lkundrak@...sk>,
        "Greg Kroah-Hartman" <gregkh@...uxfoundation.org>
Cc:     linux-kernel@...r.kernel.org
Subject: Re: [PATCH] char: pcmcia: scr24x_cs: Fix use-after-free in scr24x_fops

On Fri, Sep 16, 2022, at 7:00 AM, Hyunwoo Kim wrote:
> @@ -298,9 +300,10 @@ static void scr24x_remove(struct pcmcia_device *link)
>  	cdev_del(&dev->c_dev);
>  	clear_bit(dev->devno, scr24x_minors);
>  	dev->dev = NULL;
> -	mutex_unlock(&dev->lock);
> 
>  	kref_put(&dev->refcnt, scr24x_delete);
> +
> +	mutex_unlock(&dev->lock);
>  }

This appears to introduce a new use-after-free, when the kref_put()
frees the 'dev' structure and you unlock the mutex in that structure
afterwards.

       Arnd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ