From: Soumya Negi <soumya.negi97@gmail.com>
To: Pavel Skripkin <paskripkin@gmail.com>
Cc: linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [RFT PATCH] isdn: capi: Add check for controller count in detach_capi_ctr()
Date: Sat, 2 Jul 2022 02:37:35 -0700 [thread overview]
Message-ID: <20220702093734.GA24575@Negi> (raw)
In-Reply-To: <ee159745-07d2-dca3-6be3-bef823090088@gmail.com>
On Sat, Jul 02, 2022 at 11:14:06AM +0300, Pavel Skripkin wrote:
> Hi Soumya,
>
> Soumya Negi <soumya.negi97@gmail.com> says:
> > Fixes Syzbot bug:
> > https://syzkaller.appspot.com/bug?id=14f4820fbd379105a71fdee357b0759b90587a4e
> >
> > This patch checks whether any ISDN devices are registered before unregistering
> > a CAPI controller(device). Without the check, the controller struct capi_str
> > results in out-of-bounds access bugs to other CAPI data strucures in
> > detach_capri_ctr() as seen in the bug report.
> >
> > Reported-by: syzbot+9d567e08d3970bfd8271@syzkaller.appspotmail.com
> >
> > Signed-off-by: Soumya Negi <soumya.negi97@gmail.com>
> > ---
> > drivers/isdn/capi/kcapi.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c
> > index 18de41a266eb..6175ff7ec749 100644
> > --- a/drivers/isdn/capi/kcapi.c
> > +++ b/drivers/isdn/capi/kcapi.c
> > @@ -563,6 +563,9 @@ int detach_capi_ctr(struct capi_ctr *ctr)
> > mutex_lock(&capi_controller_lock);
> > + if (ncontrollers == 0)
> > + goto unlock_out;
> > +
>
> It seems like to fix the problem. Did you mean to return 0 in case of
> ncontrollers == 0? Maybe it's better to return an error to indicate that
> function was called wrongly.
Yes, I let detach_capi_ctr() exit without an error code since I figured the
issue is caused by another subsystem in the first place.
But your logic sounds right. It is still an error and should be reflected
on return. I'll do that.
> On the other hand it means there are suspicious callers of that function.
> Maybe they should be fixed too.
It is being wrongly called without a controller count check from an external
function in the bluetooth stack's CMTP module. Should I fix the calling
function in the same patch or go for a patchset?
> I'd put a warning in case of `ncontrollers == 0`, to indicate that something
> is going completely wrong.
Thanks for the quick reply,
Soumya
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
next prev parent reply other threads:[~2022-07-02 9:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-01 23:50 [RFT PATCH] isdn: capi: Add check for controller count in detach_capi_ctr() Soumya Negi
2022-07-02 8:14 ` Pavel Skripkin
2022-07-02 9:37 ` Soumya Negi [this message]
2022-07-05 3:03 ` Soumya Negi
2022-07-07 19:51 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220702093734.GA24575@Negi \
--to=soumya.negi97@gmail.com \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=paskripkin@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox