lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <17ad6913.ff8e0.1838933840d.Coremail.duoming@zju.edu.cn>
Date:   Thu, 29 Sep 2022 20:23:18 +0800 (GMT+08:00)
From:   duoming@....edu.cn
To:     "Leon Romanovsky" <leon@...nel.org>
Cc:     linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        isdn@...ux-pingi.de, kuba@...nel.org
Subject: Re: [PATCH V4] mISDN: fix use-after-free bugs in l1oip timer
 handlers

Hello,

On Thu, 29 Sep 2022 10:22:07 +0300 Leon Romanovsky wrote:

> On Wed, Sep 28, 2022 at 09:39:38PM +0800, Duoming Zhou wrote:
> > The l1oip_cleanup() traverses the l1oip_ilist and calls
> > release_card() to cleanup module and stack. However,
> > release_card() calls del_timer() to delete the timers
> > such as keep_tl and timeout_tl. If the timer handler is
> > running, the del_timer() will not stop it and result in
> > UAF bugs. One of the processes is shown below:
> > 
> >     (cleanup routine)          |        (timer handler)
> > release_card()                 | l1oip_timeout()
> >  ...                           |
> >  del_timer()                   | ...
> >  ...                           |
> >  kfree(hc) //FREE              |
> >                                | hc->timeout_on = 0 //USE
> > 
> > Fix by calling del_timer_sync() in release_card(), which
> > makes sure the timer handlers have finished before the
> > resources, such as l1oip and so on, have been deallocated.
> > 
> > What's more, the hc->workq and hc->socket_thread can kick
> > those timers right back in. We add a bool flag to show
> > if card is released. Then, check this flag in hc->workq
> > and hc->socket_thread.
> > 
> > Fixes: 3712b42d4b1b ("Add layer1 over IP support")
> > Signed-off-by: Duoming Zhou <duoming@....edu.cn>
> > ---
> > Changes in v4:
> >   - Use bool flag to judge whether card is released.
> > 
> >  drivers/isdn/mISDN/l1oip.h      |  1 +
> >  drivers/isdn/mISDN/l1oip_core.c | 13 +++++++------
> >  2 files changed, 8 insertions(+), 6 deletions(-)
> 
> It looks like it is ok now, but whole mISDN code doesn't look healthy,
> so it is hard to say for sure.
> 
> Are you fixing real issue that you saw in field?

Thank you for your time and reply! I found this issue through a 
static analysis tool wroten by myself.

> Thanks,
> Reviewed-by: Leon Romanovsky <leonro@...dia.com>

Thank you!

Best regards,
Duoming Zhou

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ