lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <69b4cd22-3a02-4d5c-a110-152b8ba8200b@kernel.org>
Date: Tue, 16 Apr 2024 12:59:22 +0200
From: Jiri Slaby <jirislaby@...nel.org>
To: Yewon Choi <woni9911@...il.com>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 linux-kernel@...r.kernel.org, linux-serial@...r.kernel.org,
 "D. Starke" <daniel.starke@...mens.com>
Cc: "Dae R. Jeong" <threeearcat@...il.com>,
 syzbot+6e3e8f30f269f5028e5d@...kaller.appspotmail.com
Subject: Re: tty: n_gsm: race condition in gsmld_ioctl

Hello & thanks.

To: Daniel

On 16. 04. 24, 12:57, Yewon Choi wrote:
> Hello,
> 
> memory leak in gsmld_ioctl was reported by syzbot, and this issue seems to be
> raised from race condition involving gsm->dlci[addr].
> 
> https://syzkaller.appspot.com/bug?extid=6e3e8f30f269f5028e5d
> 
> When dlci object is checked and initialized in gsmld_ioctl(), it may be
> assigned multiple times because there is no lock which guards entering
> the critical section in gsm_dlci_alloc() from multiple threads.
> 
> For example, when multiple ioctl() are called concurrently, the following
> scenario is possible:
> 
> Thread 0                                Thread 1
> ioctl(GSMIOC_SETCONF_DLCI)              ioctl(GSMIOC_GETCONF_DLCI)
> 
> gsmld_ioctl():                          gsmld_ioctl():
>    dlci = gsm->dlci[addr];
>                                            dlci = gsm->dlci[addr];
>    if (!dlci) {
>      gsm_dlci_alloc(gsm, addr):
>        ...
>        gsm->dlci[addr] = dlci;
>                                            if (!dlci) {
>                                              gsm_dlci_alloc(gsm, addr):
>                                                ...
>                                                // overwritten & memory leak
>                                                gsm->dlci[addr] = dlci;
> 
> 
> We think either (1) gsm_dlci_alloc() should hold a lock(mutex) and do
> internal check about whether gsm->dlci[addr] is NUll or not, OR
> (2) all callers of gsm_dlci_alloc() should hold gsm->mutex and check
> whether gsm->dlci[addr] is NUll or not (like gsmtty_install()).
> 
> Could you check this? If it makes sense, we will write a patch following
> one of the suggestions.
> 
> Best Regards,
> Yewon Choi

-- 
js

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ