| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7dfab6ea-fec3-4ddb-a6b7-db692e39474c@kernel.org>
Date: Mon, 19 Jan 2026 07:25:11 +0100
From: Jiri Slaby <jirislaby@...nel.org>
To: Osama Abdelkader <osama.abdelkader@...il.com>,
Andrew Lunn <andrew+netdev@...n.ch>, "David S. Miller"
<davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Simon Horman <horms@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Sjur Braendeland <sjur.brandeland@...ricsson.com>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Cc: syzbot+f9d847b2b84164fa69f3@...kaller.appspotmail.com,
stable@...r.kernel.org
Subject: Re: [PATCH v2] net: caif: fix memory leak in ldisc_receive
On 18. 01. 26, 18:44, Osama Abdelkader wrote:
> Add NULL pointer checks for ser and ser->dev in ldisc_receive() to
> prevent memory leaks when the function is called during device close
> or in race conditions where tty->disc_data or ser->dev may be NULL.
>
> The memory leak occurred because ser->dev was accessed before checking
> if ser or ser->dev was NULL, which could cause a NULL pointer
> dereference or use of freed memory. Additionally, set tty->disc_data
> to NULL in ldisc_close() to prevent receive_buf() from using a freed
> ser pointer after the line discipline is closed.
>
> Reported-by: syzbot+f9d847b2b84164fa69f3@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=f9d847b2b84164fa69f3
> Fixes: 9b27105b4a44 ("net-caif-driver: add CAIF serial driver (ldisc)")
> CC: stable@...r.kernel.org
> Signed-off-by: Osama Abdelkader <osama.abdelkader@...il.com>
> ---
> v2:
> 1.Combine NULL pointer checks for ser and ser->dev in ldisc_receive()
> 2.Set tty->disc_data = NULL in ldisc_close() to prevent receive_buf()
> from using a freed ser pointer after close.
> 3.Add NULL pointer check for ser in ldisc_close()
> ---
> drivers/net/caif/caif_serial.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
> index c398ac42eae9..970237a3ccca 100644
> --- a/drivers/net/caif/caif_serial.c
> +++ b/drivers/net/caif/caif_serial.c
> @@ -152,6 +152,8 @@ static void ldisc_receive(struct tty_struct *tty, const u8 *data,
> int ret;
>
> ser = tty->disc_data;
> + if (!ser || !ser->dev)
NACK. If receive_buf is called with NULL tty->disc_data (outside of
ldisc open-close window), it's a bug one layer up. I.e. another race in
old bad tiocsti().
> + return;
>
> /*
> * NOTE: flags may contain information about break or overrun.
> @@ -170,8 +172,6 @@ static void ldisc_receive(struct tty_struct *tty, const u8 *data,
> return;
> }
>
> - BUG_ON(ser->dev == NULL);
> -
> /* Get a suitable caif packet and copy in data. */
> skb = netdev_alloc_skb(ser->dev, count+1);
> if (skb == NULL)
> @@ -355,11 +355,15 @@ static void ldisc_close(struct tty_struct *tty)
> {
> struct ser_device *ser = tty->disc_data;
>
> + if (!ser)
Meaning close can be called twice? Or without open? Really?
> + return;
> +
> tty_kref_put(ser->tty);
>
> spin_lock(&ser_lock);
> list_move(&ser->node, &ser_release_list);
> spin_unlock(&ser_lock);
> + tty->disc_data = NULL;
This wouldn't hurt, but should not be needed since:
dd42bf119714 tty: Prevent ldisc drivers from re-using stale tty fields
thanks,
--
js
suse labs
Powered by blists - more mailing lists