lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240920112809.627-1-hdanton@sina.com>
Date: Fri, 20 Sep 2024 19:28:09 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+a11c46f37ee083a73deb@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [media?] KASAN: use-after-free Read in em28xx_close_extension (2)

On Thu, 19 Sep 2024 08:00:19 -0700
> syzbot found the following issue on:
> 
> HEAD commit:    68d4209158f4 sub: cdns3: Use predefined PCI vendor ID cons..
> git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11166200580000

#syz test

--- x/drivers/media/usb/em28xx/em28xx-core.c
+++ y/drivers/media/usb/em28xx/em28xx-core.c
@@ -1134,7 +1134,7 @@ void em28xx_close_extension(struct em28x
 			ops->fini(dev);
 		}
 	}
-	list_del(&dev->devlist);
+	list_del_init(&dev->devlist);
 	mutex_unlock(&em28xx_devlist_mutex);
 }
 
--- x/drivers/media/usb/em28xx/em28xx-cards.c
+++ y/drivers/media/usb/em28xx/em28xx-cards.c
@@ -3910,6 +3910,7 @@ static int em28xx_usb_probe(struct usb_i
 		retval = -ENOMEM;
 		goto err;
 	}
+	INIT_LIST_HEAD(&dev->devlist);
 
 	/* compute alternate max packet sizes */
 	dev->alt_max_pkt_size_isoc = kcalloc(intf->num_altsetting,
@@ -4156,6 +4157,8 @@ static int em28xx_usb_probe(struct usb_i
 	return 0;
 
 err_free:
+	if (!list_empty(&dev->devlist))
+		em28xx_close_extension(dev);
 	kfree(dev->alt_max_pkt_size_isoc);
 	kfree(dev);
 
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ