lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2025050851-splatter-thesaurus-f54e@gregkh>
Date: Thu, 8 May 2025 11:41:52 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Xin Chen <quic_cxin@...cinc.com>
Cc: Rob Herring <robh@...nel.org>, Jiri Slaby <jirislaby@...nel.org>,
	linux-serial@...r.kernel.org, linux-kernel@...r.kernel.org,
	liulzhao@....qualcomm.com, quic_chejiang@...cinc.com,
	zaiyongc@....qualcomm.com, quic_zijuhu@...cinc.com,
	quic_mohamull@...cinc.com,
	Panicker Harish <quic_pharish@...cinc.com>
Subject: Re: [PATCH v1] tty: serdev: serdev-ttyport: Fix use-after-free in
 ttyport_close() due to uninitialized serport->tty

On Thu, May 08, 2025 at 05:29:18PM +0800, Xin Chen wrote:
> 
> On 4/30/2025 7:40 PM, Greg Kroah-Hartman wrote:
> > On Wed, Apr 30, 2025 at 07:16:17PM +0800, Xin Chen wrote:
> >> When ttyport_open() fails to initialize a tty device, serport->tty is not
> >> --- a/drivers/tty/serdev/serdev-ttyport.c
> >> +++ b/drivers/tty/serdev/serdev-ttyport.c
> >> @@ -88,6 +88,10 @@ static void ttyport_write_flush(struct serdev_controller *ctrl)
> >>  {
> >>  	struct serport *serport = serdev_controller_get_drvdata(ctrl);
> >>  	struct tty_struct *tty = serport->tty;
> >> +	if (!tty) {
> >> +		dev_err(&ctrl->dev, "tty is null\n");
> >> +		return;
> >> +	}
> > 
> > What prevents tty from going NULL right after you just checked this?
> 
> First sorry for reply so late for I have a long statutory holidays.
> Maybe I don't get your point. From my side, there is nothing to prevent it.
> Check here is to avoid code go on if tty is NULL.

Yes, but the problem is, serport->tty could change to be NULL right
after you check it, so you have not removed the real race that can
happen here.  There is no lock, so by adding this check you are only
reducing the risk of the problem happening, not actually fixing the
issue so that it will never happen.

Please fix it so that this can never happen.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ