Linux wireless drivers development
 help / color / mirror / Atom feed
* [PATCH 1/2] ath9k: fix tx99 use after free
@ 2017-06-20  1:13 miaoqing
  2017-06-20  1:13 ` [PATCH 2/2] ath9k: fix tx99 bus error miaoqing
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: miaoqing @ 2017-06-20  1:13 UTC (permalink / raw)
  To: kvalo; +Cc: linux-wireless, ath9k-devel, sssa, Miaoqing Pan

From: Miaoqing Pan <miaoqing@codeaurora.org>

One scenario that could lead to UAF is two threads writing
simultaneously to the "tx99" debug file. One of them would
set the "start" value to true and follow to ath9k_tx99_init().
Inside the function it would set the sc->tx99_state to true
after allocating sc->tx99skb. Then, the other thread would
execute write_file_tx99() and call ath9k_tx99_deinit().
sc->tx99_state would be freed. After that, the first thread
would continue inside ath9k_tx99_init() and call
r = ath9k_tx99_send(sc, sc->tx99_skb, &txctl);
that would make use of the freed sc->tx99_skb memory.

Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
---
 drivers/net/wireless/ath/ath9k/tx99.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/tx99.c b/drivers/net/wireless/ath/ath9k/tx99.c
index a866cbd..49ed1af 100644
--- a/drivers/net/wireless/ath/ath9k/tx99.c
+++ b/drivers/net/wireless/ath/ath9k/tx99.c
@@ -189,22 +189,27 @@ static ssize_t write_file_tx99(struct file *file, const char __user *user_buf,
 	if (strtobool(buf, &start))
 		return -EINVAL;
 
+	mutex_lock(&sc->mutex);
+
 	if (start == sc->tx99_state) {
 		if (!start)
-			return count;
+			goto out;
 		ath_dbg(common, XMIT, "Resetting TX99\n");
 		ath9k_tx99_deinit(sc);
 	}
 
 	if (!start) {
 		ath9k_tx99_deinit(sc);
-		return count;
+		goto out;
 	}
 
 	r = ath9k_tx99_init(sc);
-	if (r)
+	if (r) {
+		mutex_unlock(&sc->mutex);
 		return r;
-
+	}
+out:
+	mutex_unlock(&sc->mutex);
 	return count;
 }
 
-- 
1.9.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2018-04-16 13:04 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-20  1:13 [PATCH 1/2] ath9k: fix tx99 use after free miaoqing
2017-06-20  1:13 ` [PATCH 2/2] ath9k: fix tx99 bus error miaoqing
2018-04-16 12:57   ` Sven Eckelmann
2017-06-21 13:52 ` [1/2] ath9k: fix tx99 use after free Kalle Valo
2017-06-28 16:53 ` Kalle Valo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox