lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4949F36B.7080707@cn.fujitsu.com>
Date:	Thu, 18 Dec 2008 14:53:31 +0800
From:	Wang Chen <wangchen@...fujitsu.com>
To:	"John W. Linville" <linville@...driver.com>
CC:	linux-wireless@...r.kernel.org,
	"David S. Miller" <davem@...emloft.net>,
	Jeff Garzik <jgarzik@...ox.com>,
	NETDEV <netdev@...r.kernel.org>
Subject: [PATCH -next] netdevice zd1201: Use after free

| commit 3d29b0c33d431ecc69ec778f8c236d382f59a85f
| Author: John W. Linville <linville@...driver.com>
| Date:   Fri Oct 31 14:13:12 2008 -0400
| 
|     netdevice zd1201: Convert directly reference of netdev->priv to netdev_priv()
| 
|     We have some reasons to kill netdev->priv:
|     1. netdev->priv is equal to netdev_priv().
|     2. netdev_priv() wraps the calculation of netdev->priv's offset, obviously
|        netdev_priv() is more flexible than netdev->priv.
|     But we cann't kill netdev->priv, because so many drivers reference to it
|     directly.
| 
|     OK, becasue Dave S. Miller said, "every direct netdev->priv usage is a bug",
|     and I want to kill netdev->priv later, I decided to convert all the direct
|     reference of netdev->priv first.
| 
|     (Original patch posted by Wang Chen <wangchen@...fujitsu.com> w/ above
|     changelog but using dev->ml_priv.  That doesn't seem appropriate
|     to me for this driver, so I've revamped it to use netdev_priv()
|     instead. -- JWL)

This commit changed the allocation of netdev, but didn't change
the free method of it.
This causes "zd" be used after the memory, which is pointed by "zd", being
freed by free_netdev().

Signed-off-by: Wang Chen <wangchen@...fujitsu.com>
Cc: John W. Linville <linville@...driver.com>
---
 drivers/net/wireless/zd1201.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
index 3404807..b45c27d 100644
--- a/drivers/net/wireless/zd1201.c
+++ b/drivers/net/wireless/zd1201.c
@@ -1841,10 +1841,6 @@ static void zd1201_disconnect(struct usb_interface *interface)
 	if (!zd)
 		return;
 	usb_set_intfdata(interface, NULL);
-	if (zd->dev) {
-		unregister_netdev(zd->dev);
-		free_netdev(zd->dev);
-	}
 
 	hlist_for_each_entry_safe(frag, node, node2, &zd->fraglist, fnode) {
 		hlist_del_init(&frag->fnode);
@@ -1860,7 +1856,11 @@ static void zd1201_disconnect(struct usb_interface *interface)
 		usb_kill_urb(zd->rx_urb);
 		usb_free_urb(zd->rx_urb);
 	}
-	kfree(zd);
+
+	if (zd->dev) {
+		unregister_netdev(zd->dev);
+		free_netdev(zd->dev);
+	}
 }
 
 #ifdef CONFIG_PM
-- 
1.5.3.4



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ