lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20170808.211442.1758463645187832260.davem@davemloft.net>
Date:   Tue, 08 Aug 2017 21:14:42 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     bjorn@...k.no
Cc:     netdev@...r.kernel.org, linux-usb@...r.kernel.org, dnlplm@...il.com
Subject: Re: [PATCH net,stable] qmi_wwan: fix NULL deref on disconnect

From: Bjørn Mork <bjorn@...k.no>
Date: Tue,  8 Aug 2017 18:02:11 +0200

> qmi_wwan_disconnect is called twice when disconnecting devices with
> separate control and data interfaces.  The first invocation will set
> the interface data to NULL for both interfaces to flag that the
> disconnect has been handled.  But the matching NULL check was left
> out when qmi_wwan_disconnect was added, resulting in this oops:
> 
>   usb 2-1.4: USB disconnect, device number 4
>   qmi_wwan 2-1.4:1.6 wwp0s29u1u4i6: unregister 'qmi_wwan' usb-0000:00:1d.0-1.4, WWAN/QMI device
>   BUG: unable to handle kernel NULL pointer dereference at 00000000000000e0
>   IP: qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
>   PGD 0
>   P4D 0
>   Oops: 0000 [#1] SMP
>   Modules linked in: <stripped irrelevant module list>
>   CPU: 2 PID: 33 Comm: kworker/2:1 Tainted: G            E   4.12.3-nr44-normandy-r1500619820+ #1
>   Hardware name: LENOVO 4291LR7/4291LR7, BIOS CBET4000 4.6-810-g50522254fb 07/21/2017
>   Workqueue: usb_hub_wq hub_event [usbcore]
>   task: ffff8c882b716040 task.stack: ffffb8e800d84000
>   RIP: 0010:qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
>   RSP: 0018:ffffb8e800d87b38 EFLAGS: 00010246
>   RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
>   RDX: 0000000000000001 RSI: ffff8c8824f3f1d0 RDI: ffff8c8824ef6400
>   RBP: ffff8c8824ef6400 R08: 0000000000000000 R09: 0000000000000000
>   R10: ffffb8e800d87780 R11: 0000000000000011 R12: ffffffffc07ea0e8
>   R13: ffff8c8824e2e000 R14: ffff8c8824e2e098 R15: 0000000000000000
>   FS:  0000000000000000(0000) GS:ffff8c8835300000(0000) knlGS:0000000000000000
>   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>   CR2: 00000000000000e0 CR3: 0000000229ca5000 CR4: 00000000000406e0
>   Call Trace:
>    ? usb_unbind_interface+0x71/0x270 [usbcore]
>    ? device_release_driver_internal+0x154/0x210
>    ? qmi_wwan_unbind+0x6d/0xc0 [qmi_wwan]
>    ? usbnet_disconnect+0x6c/0xf0 [usbnet]
>    ? qmi_wwan_disconnect+0x87/0xc0 [qmi_wwan]
>    ? usb_unbind_interface+0x71/0x270 [usbcore]
>    ? device_release_driver_internal+0x154/0x210
> 
> Reported-and-tested-by: Nathaniel Roach <nroach44@...il.com>
> Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
> Cc: Daniele Palmas <dnlplm@...il.com>
> Signed-off-by: Bjørn Mork <bjorn@...k.no>

Applied and queued up for -stable, thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ