lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 29 Sep 2022 20:23:18 +0800 (GMT+08:00) From: duoming@....edu.cn To: "Leon Romanovsky" <leon@...nel.org> Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org, isdn@...ux-pingi.de, kuba@...nel.org Subject: Re: [PATCH V4] mISDN: fix use-after-free bugs in l1oip timer handlers Hello, On Thu, 29 Sep 2022 10:22:07 +0300 Leon Romanovsky wrote: > On Wed, Sep 28, 2022 at 09:39:38PM +0800, Duoming Zhou wrote: > > The l1oip_cleanup() traverses the l1oip_ilist and calls > > release_card() to cleanup module and stack. However, > > release_card() calls del_timer() to delete the timers > > such as keep_tl and timeout_tl. If the timer handler is > > running, the del_timer() will not stop it and result in > > UAF bugs. One of the processes is shown below: > > > > (cleanup routine) | (timer handler) > > release_card() | l1oip_timeout() > > ... | > > del_timer() | ... > > ... | > > kfree(hc) //FREE | > > | hc->timeout_on = 0 //USE > > > > Fix by calling del_timer_sync() in release_card(), which > > makes sure the timer handlers have finished before the > > resources, such as l1oip and so on, have been deallocated. > > > > What's more, the hc->workq and hc->socket_thread can kick > > those timers right back in. We add a bool flag to show > > if card is released. Then, check this flag in hc->workq > > and hc->socket_thread. > > > > Fixes: 3712b42d4b1b ("Add layer1 over IP support") > > Signed-off-by: Duoming Zhou <duoming@....edu.cn> > > --- > > Changes in v4: > > - Use bool flag to judge whether card is released. > > > > drivers/isdn/mISDN/l1oip.h | 1 + > > drivers/isdn/mISDN/l1oip_core.c | 13 +++++++------ > > 2 files changed, 8 insertions(+), 6 deletions(-) > > It looks like it is ok now, but whole mISDN code doesn't look healthy, > so it is hard to say for sure. > > Are you fixing real issue that you saw in field? Thank you for your time and reply! I found this issue through a static analysis tool wroten by myself. > Thanks, > Reviewed-by: Leon Romanovsky <leonro@...dia.com> Thank you! Best regards, Duoming Zhou
Powered by blists - more mailing lists