linux-kernel - Input: uinput - race after request submit tiemout

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite for Android: free password hash cracker in your pocket

[<prev] [next>] [day] [month] [year] [list]

Date: Tue, 21 May 2024 19:36:19 +0800
From: Hillf Danton <hdanton@...a.com>
To: linux-input@...r.kernel.org
Cc: Dmitry Torokhov <dmitry.torokhov@...il.com>,
	Krzysztof Kozlowski <krzysztof.kozlowski+dt@...aro.org>,
	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	linux-kernel@...r.kernel.org
Subject: Input: uinput - race after request submit tiemout

	uinput_request_submit()		uinput_ioctl_handler()
	---				---
	wait_for_completion_timeout()	case UI_END_FF_ERASE:
					req = uinput_request_find()
	uinput_request_release_slot()
					req->retval = ff_erase.retval;
					complete(&req->done);

Given the race between request submit and ioctl handler, memory corruption
could happen after releasing request slot.