| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250902104630.6a9f088a.michal.pecio@gmail.com> Date: Tue, 2 Sep 2025 10:46:30 +0200 From: MichaĆ Pecio <michal.pecio@...il.com> To: "David Wang" <00107082@....com> Cc: "Mathias Nyman" <mathias.nyman@...ux.intel.com>, WeitaoWang-oc@...oxin.com, gregkh@...uxfoundation.org, linux-usb@...r.kernel.org, regressions@...ts.linux.dev, linux-kernel@...r.kernel.org, surenb@...gle.com, kent.overstreet@...ux.dev Subject: Re: [PATCH] usb: xhci: Fix xhci_free_virt_devices_depth_first() On Tue, 2 Sep 2025 16:30:48 +0800 (CST), David Wang wrote: > About the change from "<" to "<=", I did not observe any difference on my system. Is it because my system does not use up all slots? This too, you would need to fiddle with devices (or connect enough of them) to reach Slot ID 255 (probably the highest on most systems), depending on the xHCI controller and its ID allocation policy. But also as explained, this bug doesn't make things go boom just yet. Except if combined with your bug in an obscure edge case: 1. A high speed hub has slot ID HCS_MAX_SLOTS-1 and some TT children. 2. Another high speed hub has slot ID HCS_MAX_SLOTS. 3. We start with freeing the second hub. 4. The loop is entered and leaves vdev pointing at the first hub. 5. The first hub is freed instead of the second one. 6. Then its children are freed and UAF its tt_info.
Powered by blists - more mailing lists