| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+fCnZdfYxAR_ccD1ZL7qA4YwrwTKdBLztfrn9JmQyztBJBsMA@mail.gmail.com> Date: Sat, 5 Mar 2016 02:00:02 +0300 From: Andrey Konovalov <andreyknvl@...il.com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Oliver Neukum <oneukum@...e.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Kostya Serebryany <kcc@...gle.com>, Dmitry Vyukov <dvyukov@...gle.com>, Alexander Potapenko <glider@...gle.com>, USB list <linux-usb@...r.kernel.org>, Network Development <netdev@...r.kernel.org> Subject: Re: Possible double-free in the usbnet driver On Sat, Mar 5, 2016 at 1:43 AM, Linus Torvalds <torvalds@...ux-foundation.org> wrote: > On Fri, Mar 4, 2016 at 2:26 PM, Andrey Konovalov <andreyknvl@...il.com> wrote: >> >> and when I run the vm and connect the device I get: >> >> [ 23.672662] cdc_ncm 1-1:1.6: bind() failure >> [ 23.673447] usbnet_probe(): freeing netdev: ffff88006ab48000 >> [ 23.675822] usbnet_probe(): freeing netdev: ffff88006ab48000 >> >> So this seems to be a double-free (or at least a double free_netdev() >> call), but the object gets freed twice from usbnet_probe() and not >> from usbnet_disconnect(), so you're right that the latter doesn't get >> called. I'm not sure how usbnet_probe() ends up being called twice. > > I still don't think it's a double free. I think the probe thing is > called twice, and that's why to different allocations get free'd twice > (and the reason it's the same pointer is that the same allocation got > reused) > > But I don't know that driver, really. > >>> Which particular usbnet bind routine is this? There are multiple >>> sub-drivers for usbnet that all do different things. >> >> cdc_ncm_bind() > > Ok, so that matches my theory. > > Does this attached stupid patch make the warning go away? Because from > what I can tell, usbnet_link_change() really will start using that > "dev" that simply isn't valid - and will be free'd - if the bind > fails. Yes, KASAN doesn't report anything with your patch. > > So you have usbnet_defer_kevent() getting triggered, which in turn > ends up using "usbnet->kevent" > > But somebody like Oliver is really the right person to check this. For > example, it's entirely possible that we should just instead do > > cancel_work_sync(&dev->kevent); > > before the "free_netdev(net)" in the "out1" label. > > And there might be other things that bind() can have touched than the > kevent workqueue. > > Linus
Powered by blists - more mailing lists