lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <39993564-7310-a2e0-8139-14ccb9a03ba9@astralinux.ru>
Date:   Wed, 15 Feb 2023 16:39:56 +0300
From:   Анастасия Белова 
        <abelova@...ralinux.ru>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     Jakob Koschel <jakobkoschel@...il.com>, linux-usb@...r.kernel.org,
        linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org
Subject: Re: [PATCH] goku_udc: Add check for NULL in goku_irq


03.02.2023 13:45, Greg Kroah-Hartman пишет:
> On Fri, Feb 03, 2023 at 01:18:28PM +0300, Anastasia Belova wrote:
>> Before dereferencing dev->driver check it for NULL.
>>
>> If an interrupt handler is called after assigning
>> NULL to dev->driver, but before resetting dev->int_enable,
>> NULL-pointer will be dereferenced.
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
>> Signed-off-by: Anastasia Belova <abelova@...ralinux.ru>
>> ---
>>   drivers/usb/gadget/udc/goku_udc.c | 5 +++--
>>   1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/usb/gadget/udc/goku_udc.c b/drivers/usb/gadget/udc/goku_udc.c
>> index bdc56b24b5c9..896bba8b47f1 100644
>> --- a/drivers/usb/gadget/udc/goku_udc.c
>> +++ b/drivers/usb/gadget/udc/goku_udc.c
>> @@ -1616,8 +1616,9 @@ static irqreturn_t goku_irq(int irq, void *_dev)
>>   pm_next:
>>   		if (stat & INT_USBRESET) {		/* hub reset done */
>>   			ACK(INT_USBRESET);
>> -			INFO(dev, "USB reset done, gadget %s\n",
>> -				dev->driver->driver.name);
>> +			if (dev->driver)
>> +				INFO(dev, "USB reset done, gadget %s\n",
>> +					dev->driver->driver.name);
> How can this ever happen?  Can you trigger this somehow?  If not, I
> don't think this is going to be possible (also what's up with printk
> from an irq handler???)

Unfortunately, I can't find the way to trigger this at the moment.

What about printk, should trace_printk be used instead?

>
> Odds are, no one actually has this hardware anymore, right?

Despite of this, such vulnerability should be fixed because

there is a possibility to exploit it.

> thanks,
>
> greg k-h

Best regards,

Anastasia Belova

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ