| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1371628488.8349.3.camel@jlt4.sipsolutions.net> Date: Wed, 19 Jun 2013 09:54:48 +0200 From: Johannes Berg <johannes@...solutions.net> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: David Miller <davem@...emloft.net>, John Linville <linville@...driver.com>, Linux Wireless List <linux-wireless@...r.kernel.org>, Network Development <netdev@...r.kernel.org> Subject: Re: nl80211 NULL pointer dereference On Tue, 2013-06-18 at 16:24 -1000, Linus Torvalds wrote: > So it would seem that it's that > > info->attrs[NL80211_ATTR_REG_RULES] > > thing that is NULL. > > And yes, the code checks that for being non-NULL in at the top of the > function, but maybe there is a race with something else setting it to > NULL? There is a kzalloc(GFP_KERNEL) in between, so it doesn't even > have to be a very small race... Yes. I looked at it, and reproduced it (after making the window larger by putting some sleeps in there and WARN_ON()). It's really just a stupid mistake I made: in nl80211_dump_wiphy() I parse attributes into the global nl80211_fam.attrbuf, without making sure that it has proper locking. Normally we do something like that only on the first iteration of a dump which is OK because it's locked, but here I did it always, which is clearly a bug. I'll have a patch in a minute. johannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists