Re: [linux-usb-devel] Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completing async USB via usbdevio

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 27, 2005 at 07:53:30AM -0700, Linus Torvalds wrote:
> On Sun, 25 Sep 2005, Harald Welte wrote:
> > 
> > async_completed() calls send_sig_info(), which in turn does a
> > spin_lock(&tasklist_lock) to protect itself from task_struct->sighand
> > from going away.  However, the call to
> > "spin_lock_irqsave(task_struct->sighand->siglock)" causes an oops,
> > because "sighand" has disappeared.
> 
> And the real bug is that you're buggering up the system in the first 
> place.
> 
> You don't save "current". You save "pid", and then you send a signal using 
> that and kill_proc_info(). End of story, bug gone. And it works with 
> threaded programs too, which the old thing didn't work at all with.

And then a process calls USBDEVFS_SUBMITURB and immediately exits; its
pid gets reused by a completely different process (maybe even
root-owned), then the urb completes, and kill_proc_info() sends the
signal to the unsuspecting process.

> I refuse to apply this patch - Greg, don't even _try_ to sneak this in 
> through a git merge. What a horribly broken thing to do: why would USB 
> _ever_ need to know about things like tasklist_lock, and internal signal 
> handling functions and rules like "p->sighand"?

Hmm, then probably send_sig_info() should check for non-NULL
p->sighand after taking tasklist_lock?  Otherwise all uses of
send_sig_info() for non-current tasks are unsafe.

"git grep -w send_sig_info" shows that most callers call
send_sig_info() for the current task, except these:

arch/sparc/kernel/traps.c:      send_sig_info(SIGFPE, &info, fpt);
arch/sparc64/kernel/sys_sunos32.c:      send_sig_info(SIGSYS, &info, current);
drivers/char/drm/drm_irq.c:                     send_sig_info( vbl_sig->info.si_signo, &vbl_sig->info, vbl_sig->task );
drivers/usb/core/devio.c:               send_sig_info(as->signr, &sinfo, as->task);
drivers/usb/core/inode.c:                       send_sig_info(ds->discsignr, &sinfo, ds->disctask);
drivers/usb/gadget/file_storage.c:                      send_sig_info(SIGUSR1, SEND_SIG_FORCED, thread_task);
kernel/signal.c:        return send_sig_info(sig, (void*)(long)(priv != 0), p);

BTW, all other callers of send_sig_info() are under
arch/{alpha,arm,sparc,sparc64}/ - 23 total.

Attachment: pgpH9ksTo11fN.pgp
Description: PGP signature


[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]
  Powered by Linux