| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024012724-chirpy-google-51bb@gregkh>
Date: Sat, 27 Jan 2024 17:29:43 -0800
From: Greg KH <gregkh@...uxfoundation.org>
To: Jiri Slaby <jirislaby@...nel.org>
Cc: Kuen-Han Tsai <khtsai@...gle.com>, quic_prashk@...cinc.com,
stern@...land.harvard.edu, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] usb: gadget: u_serial: Add null pointer checks after
RX/TX submission
On Thu, Jan 18, 2024 at 10:27:54AM +0100, Jiri Slaby wrote:
> On 16. 01. 24, 15:16, Kuen-Han Tsai wrote:
> > Commit ffd603f21423 ("usb: gadget: u_serial: Add null pointer check in
> > gs_start_io") adds null pointer checks to gs_start_io(), but it doesn't
> > fully fix the potential null pointer dereference issue. While
> > gserial_connect() calls gs_start_io() with port_lock held, gs_start_rx()
> > and gs_start_tx() release the lock during endpoint request submission.
> > This creates a window where gs_close() could set port->port_tty to NULL,
> > leading to a dereference when the lock is reacquired.
> >
> > This patch adds a null pointer check for port->port_tty after RX/TX
> > submission, and removes the initial null pointer check in gs_start_io()
> > since the caller must hold port_lock and guarantee non-null values for
> > port_usb and port_tty.
>
> Or you switch to tty_port refcounting and need not fiddling with this at all
> ;).
I agree, Kuen-Han, why not do that instead?
thanks,
greg k-h
Powered by blists - more mailing lists