lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 24 Sep 2022 10:18:42 +0800
From:   Duoming Zhou <>
        Duoming Zhou <>
Subject: [PATCH V3] mISDN: fix use-after-free bugs in l1oip timer handlers

The l1oip_cleanup() traverses the l1oip_ilist and calls
release_card() to cleanup module and stack. However,
release_card() calls del_timer() to delete the timers
such as keep_tl and timeout_tl. If the timer handler is
running, the del_timer() will not stop it and result in
UAF bugs. One of the processes is shown below:

    (cleanup routine)          |        (timer handler)
release_card()                 | l1oip_timeout()
 ...                           |
 del_timer()                   | ...
 ...                           |
 kfree(hc) //FREE              |
                               | hc->timeout_on = 0 //USE

Fix by calling del_timer_sync() in release_card(), which
makes sure the timer handlers have finished before the
resources, such as l1oip and so on, have been deallocated.

What's more, the hc->workq and hc->socket_thread can kick
those timers right back in. We use del_timer_sync(&hc->keep_tl)
and cancel_work_sync(&hc->workq) twice to stop keep_tl timer
and hc->workq. Then, we add del_timer_sync(&hc->timeout_tl)
inside l1oip_socket_close() to stop timeout_tl timer. Because
the hc->socket_thread has been killed and the timeout_tl timer
will not be rescheduled.

Fixes: 3712b42d4b1b ("Add layer1 over IP support")
Signed-off-by: Duoming Zhou <>
Changes in v3:
  - Make commit messages more clearer.
  - Add del_timer_sync(&hc->timeout_tl) inside l1oip_socket_close().

 drivers/isdn/mISDN/l1oip_core.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/isdn/mISDN/l1oip_core.c b/drivers/isdn/mISDN/l1oip_core.c
index 2c40412466e..5939f1d8f08 100644
--- a/drivers/isdn/mISDN/l1oip_core.c
+++ b/drivers/isdn/mISDN/l1oip_core.c
@@ -762,6 +762,8 @@ l1oip_socket_close(struct l1oip *hc)
+	del_timer_sync(&hc->timeout_tl);
 	/* if active, we send up a PH_DEACTIVATE and deactivate */
 	if (test_bit(FLG_ACTIVE, &dch->Flags)) {
 		if (debug & (DEBUG_L1OIP_MSG | DEBUG_L1OIP_SOCKET))
@@ -1232,12 +1234,10 @@ release_card(struct l1oip *hc)
 	int	ch;
-	if (timer_pending(&hc->keep_tl))
-		del_timer(&hc->keep_tl);
-	if (timer_pending(&hc->timeout_tl))
-		del_timer(&hc->timeout_tl);
+	del_timer_sync(&hc->keep_tl);
+	del_timer_sync(&hc->timeout_tl);
+	cancel_work_sync(&hc->workq);
+	del_timer_sync(&hc->keep_tl);
 	if (hc->socket_thread)

Powered by blists - more mailing lists