| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Apr 2024 12:32:53 -0400
From: Parker Newman <parker@...est.io>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Jiri Slaby <jirislaby@...nel.org>, linux-kernel@...r.kernel.org,
linux-serial@...r.kernel.org, Parker Newman <pnewman@...necttech.com>
Subject: Re: [PATCH v3 8/8] serial: exar: fix: fix crash during shutdown if
setup fails
On Wed, 17 Apr 2024 15:30:56 +0200
Greg Kroah-Hartman <gregkh@...uxfoundation.org> wrote:
> On Wed, Apr 17, 2024 at 08:24:13AM -0400, Parker Newman wrote:
> > On Wed, 17 Apr 2024 13:19:07 +0200
> > Greg Kroah-Hartman <gregkh@...uxfoundation.org> wrote:
> >
> > > On Tue, Apr 16, 2024 at 08:55:35AM -0400, Parker Newman wrote:
> > > > From: Parker Newman <pnewman@...necttech.com>
> > > >
> > > > If a port fails to register with serial8250_register_8250_port() the
> > > > kernel can crash when shutting down or module removal.
> > > >
> > > > This is because "priv->line[i]" will be set to a negative error code
> > > > and in the exar_pci_remove() function serial8250_unregister_port() is
> > > > called without checking if the "priv->line[i]" value is valid.
> > > >
> > > > Signed-off-by: Parker Newman <pnewman@...necttech.com>
> > > > ---
> > > > drivers/tty/serial/8250/8250_exar.c | 3 ++-
> > > > 1 file changed, 2 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c
> > > > index 501b9f3e9c89..f5a395ed69d1 100644
> > > > --- a/drivers/tty/serial/8250/8250_exar.c
> > > > +++ b/drivers/tty/serial/8250/8250_exar.c
> > > > @@ -1671,7 +1671,8 @@ static void exar_pci_remove(struct pci_dev *pcidev)
> > > > unsigned int i;
> > > >
> > > > for (i = 0; i < priv->nr; i++)
> > > > - serial8250_unregister_port(priv->line[i]);
> > > > + if (priv->line[i] >= 0)
> > > > + serial8250_unregister_port(priv->line[i]);
> > >
> > > Is this a bug in the current driver? If so, can you resend it on its
> > > own so we can get it merged now?
> > >
> >
> > Yes it is, I can split this one out and send it on its own.
>
> Great! Bonus points if you can find the commit id it fixes and add a
> "Fixes:" tag to the signed-off-by area. If not, I can guess :)
>
> thanks,
>
> greg k-h
After looking at this again and doing some testing this bug does not actually
happen with the driver in its current state. During my development I had it
happen but that would have been due to me messing around.
When "priv->line[i]" < 0 it breaks out of the for loop and priv->nr is set to "i".
so only the successfully registered ports will be unregistered in exar_pci_remove().
..
for (i = 0; i < nr_ports && i < maxnr; i++) {
rc = board->setup(priv, pcidev, &uart, i);
if (rc) {
dev_err(&pcidev->dev, "Failed to setup port %u\n", i);
break;
}
dev_dbg(&pcidev->dev, "Setup PCI port: port %lx, irq %d, type %d\n",
uart.port.iobase, uart.port.irq, uart.port.iotype);
priv->line[i] = serial8250_register_8250_port(&uart);
if (priv->line[i] < 0) {
dev_err(&pcidev->dev,
"Couldn't register serial port %lx, irq %d, type %d, error %d\n",
uart.port.iobase, uart.port.irq,
uart.port.iotype, priv->line[i]);
break;
}
}
priv->nr = i;
..
Thanks,
Parker
Powered by blists - more mailing lists