lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sun, 05 Nov 2023 18:12:14 -0800
From:   Rahul Rameshbabu <rrameshbabu@...dia.com>
To:     Lizhi Xu <lizhi.xu@...driver.com>
Cc:     <syzbot+8a78ecea7ac1a2ea26e5@...kaller.appspotmail.com>,
        <davem@...emloft.net>, <linux-kernel@...r.kernel.org>,
        <netdev@...r.kernel.org>, <reibax@...il.com>,
        <richardcochran@...il.com>, <syzkaller-bugs@...glegroups.com>
Subject: Re: [PATCH] ptp: fix null ptr deref in ptp_ioctrl

On Mon, 06 Nov, 2023 09:19:26 +0800 Lizhi Xu <lizhi.xu@...driver.com> wrote:

<snip>

>
> It can be confirmed that after the execution of "read (3, 0x20000080, 90)",
> ptp_release() will be called to release the queue and set
> pccontext->private_clkdata = NULL at the same time, this is unreasonable and
> incorrect. The queue is not the memory requested in ptp_read() and should not
> be released in ptp_read().
>
> Signed-off-by: Lizhi Xu <lizhi.xu@...driver.com>
> ---
>  drivers/ptp/ptp_chardev.c | 2 --
>  1 file changed, 2 deletions(-)
>
> diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
> index 282cd7d24077..27c1ef493617 100644
> --- a/drivers/ptp/ptp_chardev.c
> +++ b/drivers/ptp/ptp_chardev.c
> @@ -585,7 +585,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,
>  free_event:
>  	kfree(event);
>  exit:
> -	if (result < 0)
> -		ptp_release(pccontext);
>  	return result;
>  }

There is already an ongoing review for a patch submission that covers this.

  https://lore.kernel.org/netdev/tencent_856E1C97CCE9E2ED66CC087B526CD42ED50A@qq.com/

--
Thanks,

Rahul Rameshbabu

Powered by blists - more mailing lists