lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CA+fCnZdurxGBsOrANb_m5BLK1BKzH3J_GmZ=dbH=ABThgFNGxg@mail.gmail.com>
Date:	Mon, 7 Mar 2016 22:50:41 +0300
From:	Andrey Konovalov <andreyknvl@...il.com>
To:	David Miller <davem@...emloft.net>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>, bjorn@...k.no,
	Oliver Neukum <oneukum@...e.com>,
	Dmitry Vyukov <dvyukov@...gle.com>,
	Alexander Potapenko <glider@...gle.com>,
	Kostya Serebryany <kcc@...gle.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	USB list <linux-usb@...r.kernel.org>,
	Network Development <netdev@...r.kernel.org>
Subject: Re: Possible double-free in the usbnet driver

On Mon, Mar 7, 2016 at 10:11 PM, David Miller <davem@...emloft.net> wrote:
> From: Linus Torvalds <torvalds@...ux-foundation.org>
> Date: Mon, 7 Mar 2016 10:13:09 -0800
>
>> On Sat, Mar 5, 2016 at 11:53 AM, Bjørn Mork <bjorn@...k.no> wrote:
>>>
>>>
>>> Definitely.  The patch is so obviously correct that we can only wonder how it was possible to miss it it the first place :)
>>>
>>> Will take a look to see if we could do a better job cleaning up in other places.
>>
>> What should I do for 4.5? Will there be a pull request for this, or
>> should I just commit my cdc_ncm_bind() patch directly?
>
> Yes I plan to send you a pull request today with Oliver's fix.
>
> Assuming this is what you guys are referring to:
>
> commit 1666984c8625b3db19a9abc298931d35ab7bc64b
> Author: Oliver Neukum <oneukum@...e.com>
> Date:   Mon Mar 7 11:31:10 2016 +0100
>
>     usbnet: cleanup after bind() in probe()
>
>     In case bind() works, but a later error forces bailing
>     in probe() in error cases work and a timer may be scheduled.
>     They must be killed. This fixes an error case related to
>     the double free reported in
>     http://www.spinics.net/lists/netdev/msg367669.html
>     and needs to go on top of Linus' fix to cdc-ncm.
>
>     Signed-off-by: Oliver Neukum <ONeukum@...e.com>
>     Signed-off-by: David S. Miller <davem@...emloft.net>

Could you also add:
Reported-by: Andrey Konovalov <andreyknvl@...il.com>
?

Thanks in advance.

>
> diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
> index 0b0ba7e..1079812 100644
> --- a/drivers/net/usb/usbnet.c
> +++ b/drivers/net/usb/usbnet.c
> @@ -1769,6 +1769,13 @@ out3:
>         if (info->unbind)
>                 info->unbind (dev, udev);
>  out1:
> +       /* subdrivers must undo all they did in bind() if they
> +        * fail it, but we may fail later and a deferred kevent
> +        * may trigger an error resubmitting itself and, worse,
> +        * schedule a timer. So we kill it all just in case.
> +        */
> +       cancel_work_sync(&dev->kevent);
> +       del_timer_sync(&dev->delay);
>         free_netdev(net);
>  out:
>         return status;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ