lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <078e3a48-acdb-e6e4-8963-84ecf1c1429d@xs4all.nl>
Date:   Thu, 13 Apr 2023 11:18:28 +0200
From:   Hans Verkuil <hverkuil@...all.nl>
To:     Zheng Wang <zyytlz.wz@....com>,
        Deborah Brouwer <deborahbrouwer3563@...il.com>
Cc:     laurent.pinchart@...asonboard.com, sakari.ailus@...ux.intel.com,
        linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
        alex000young@...il.com, hackerzheng666@...il.com,
        security@...nel.org, hdanton@...a.com, mchehab@...nel.org
Subject: Re: [PATCH v3] media: bttv: fix use after free error due to
 btv->timeout timer

Hi Zheng,

Deb Brouwer is working on converting bttv to the vb2 framework, so I want to
wait for that to finish before taking other bttv patches.

I suspect this is still valid post-vb2 conversion, but I'm not certain.

Regards,

	Hans

On 13/04/2023 05:49, Zheng Wang wrote:
> There may be some a race condition between timer function
> bttv_irq_timeout and bttv_remove. The timer is setup in
> probe and there is no timer_delete operation in remove
> function. When it hit kfree btv, the function might still be
> invoked, which will cause use after free bug.
> 
> This bug is found by static analysis, it may be false positive.
> 
> Fix it by adding del_timer_sync invoking to the remove function.
> 
> cpu0                cpu1
>                   bttv_probe
>                     ->timer_setup
>                       ->bttv_set_dma
>                         ->mod_timer;
> bttv_remove
>   ->kfree(btv);
>                   ->bttv_irq_timeout
>                     ->USE btv
> 
> Fixes: 162e6376ac58 ("media: pci: Convert timers to use timer_setup()")
> Signed-off-by: Zheng Wang <zyytlz.wz@....com>
> ---
> v3:
> - Add Fix label
> v2:
> - stop replacing del_timer with del_timer_sync suggested by Hillf Danton
> ---
>  drivers/media/pci/bt8xx/bttv-driver.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c
> index d40b537f4e98..24ba5729969d 100644
> --- a/drivers/media/pci/bt8xx/bttv-driver.c
> +++ b/drivers/media/pci/bt8xx/bttv-driver.c
> @@ -4248,6 +4248,7 @@ static void bttv_remove(struct pci_dev *pci_dev)
>  
>  	/* free resources */
>  	free_irq(btv->c.pci->irq,btv);
> +	del_timer_sync(&btv->timeout);
>  	iounmap(btv->bt848_mmio);
>  	release_mem_region(pci_resource_start(btv->c.pci,0),
>  			   pci_resource_len(btv->c.pci,0));

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ