The function at issue does not always initialize each byte allocated for 'b'
and can therefore leak uninitialized memory to a USB device in the call to
usb_bulk_msg()
Use kzalloc() instead of kmalloc()
Signed-off-by: Tomas Bortoli
Reported-by: syzbot+0522702
Uninitialized Kernel memory can leak to USB devices.
Fix by using kzalloc() instead of kmalloc() on the affected buffers.
Signed-off-by: Tomas Bortoli
Reported-by: syzbot+d6a5a1a3657b596ef...@syzkaller.appspotmail.com
Reported-by: syzbot+513e4d0985298538b...@syzkaller.appspotmail.com
---
Crash
On 5/28/19 10:31 PM, Steven Rostedt wrote:
> On Tue, 28 May 2019 17:43:38 +0200
> Tomas Bortoli wrote:
>
>> @@ -578,6 +578,8 @@ predicate_parse(const char *str, int nr_parens, int
>> nr_preds,
>> out_free:
>> kfree(op_stack);
>> kfree(inverts);
On 5/28/19 5:48 PM, Steven Rostedt wrote:
> On Tue, 28 May 2019 17:43:38 +0200
> Tomas Bortoli wrote:
>
>> In case of errors, predicate_parse() goes to the out_free label
>> to free memory and to return an error code.
>>
>> However, predicate_parse() do
In case of errors, predicate_parse() goes to the out_free label
to free memory and to return an error code.
However, predicate_parse() does not free the predicates of the
temporary prog_stack array, thence leaking them.
Signed-off-by: Tomas Bortoli
Reported-by: syzbot+6b8e0fb820e570c59
On 5/28/19 5:29 PM, Steven Rostedt wrote:
> On Tue, 28 May 2019 17:18:59 +0200
> Tomas Bortoli wrote:
>
>>>> + memset(prog_stack, 0, nr_preds * sizeof(*prog_stack));
>>>> +
>>>
>>> Can you instead just switch the allocation of prog_stack to
On 5/28/19 4:44 PM, Steven Rostedt wrote:
> On Tue, 28 May 2019 15:46:59 +0200
> Tomas Bortoli wrote:
>
>> In case of errors, predicate_parse() goes to the out_free label
>> to free memory and to return an error code.
>>
>> However, predicate_parse() do
In case of errors, predicate_parse() goes to the out_free label
to free memory and to return an error code.
However, predicate_parse() does not free the predicates of the
temporary prog_stack array, thence leaking them.
Signed-off-by: Tomas Bortoli
Reported-by: syzbot+6b8e0fb820e570c59
Syzkaller found that it is possible to provoke a memory leak by
never freeing rx_skb in struct bcsp_struct.
Fix by freeing in bcsp_close()
Signed-off-by: Tomas Bortoli
Reported-by: syzbot+98162c885993b72f1...@syzkaller.appspotmail.com
---
drivers/bluetooth/hci_bcsp.c | 4
1 file changed
hci_inquiry_result_with_rssi_evt() can perform out of bound reads
on skb->data as a bound check is missing.
Signed-off-by: Tomas Bortoli
Reported-by: syzbot+cec7a50c412a2c03f...@syzkaller.appspotmail.com
Reported-by: syzbot+660883c56e2fa65d4...@syzkaller.appspotmail.com
---
v2:
- chan
Hi Dan,
On 3/4/19 4:04 PM, Dan Carpenter wrote:
> Hi Tomas,
>
> url:
> https://github.com/0day-ci/linux/commits/Tomas-Bortoli/net-bluetooth-Fix-bound-check-in-event-handling/20190301-213647
> base:
> https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-
Hi Marcel,
On 3/2/19 5:46 PM, Marcel Holtmann wrote:
> Hi Tomas,
>
>> hci_inquiry_result_with_rssi_evt() can perform out of bound reads
>> on skb->data as a bound check is missing.
>>
>> Signed-off-by: Tomas Bortoli
>> Reported-by: syzbot+cec7a50
hci_inquiry_result_with_rssi_evt() can perform out of bound reads
on skb->data as a bound check is missing.
Signed-off-by: Tomas Bortoli
Reported-by: syzbot+cec7a50c412a2c03f...@syzkaller.appspotmail.com
Reported-by: syzbot+660883c56e2fa65d4...@syzkaller.appspotmail.com
---
Syzkaler repo
Hi Paolo,
On 1/7/19 11:42 PM, Paolo Bonzini wrote:
> On 02/01/19 18:29, Tomas Bortoli wrote:
>> n = kvm_dirty_bitmap_bytes(memslot);
>> +
>> +if (n << 3 < log->num_pages || log->first_page > log->num_pages)
>> +return -EIN
().
Signed-off-by: Tomas Bortoli
Reported-by: syzbot+028366e52c9ace67d...@syzkaller.appspotmail.com
---
Syzbot report:
BUG: KASAN: slab-out-of-bounds in kvm_clear_dirty_log_protect+0x8cf/0x970
arch/x86/kvm/../../../virt/kvm/kvm_main.c:1262
Read of size 8 at addr 88809e631290 by task syz
On 12/17/18 12:01 PM, Dominique Martinet wrote:
> Tomas Bortoli wrote on Mon, Dec 17, 2018:
>> sorry for the delay, I've been quite busy these days.
>
> No problem.
>
>> The patches looks good to me and should indeed speed up the code a bit.
>> I quickly test
haven't been replied to
>
> Signed-off-by: Dominique Martinet
> Cc: Eric Van Hensbergen
> Cc: Latchesar Ionkov
> Cc: Tomas Bortoli
> Cc: Dmitry Vyukov
> ---
>
> I've been sitting on these patches for almost a month now because I
> wanted to fix the canc
haven't been replied to
>
> Signed-off-by: Dominique Martinet
> Cc: Eric Van Hensbergen
> Cc: Latchesar Ionkov
> Cc: Tomas Bortoli
> Cc: Dmitry Vyukov
> ---
>
> I've been sitting on these patches for almost a month now because I
> wanted to fix the canc
On 08/14/2018 03:38 AM, piaojun wrote:
> Hi Tomas & Dominique,
>
> On 2018/8/11 22:42, Tomas Bortoli wrote:
>> To avoid use-after-free(s), use a refcount to keep track of the
>> usable references to any instantiated struct p9_req_t.
>>
>> This commi
In sight of the next patch to add a refcount in p9_req_t, rename
the p9_free_req() function in p9_release_req().
In the next patch the actual kfree will be moved to another function.
Signed-off-by: Tomas Bortoli
Signed-off-by: Dominique Martinet
---
net/9p/client.c | 100
On 07/25/2018 06:11 AM, Dominique Martinet wrote:
> Tomas Bortoli wrote on Mon, Jul 23, 2018:
>> diff --git a/net/9p/client.c b/net/9p/client.c
>> index 18c5271910dc..92240ccf476b 100644
>> --- a/net/9p/client.c
>> +++ b/net/9p/client.c
>> @@ -524,6 +525,12 @@
On 07/11/2018 03:26 AM, jiangyiwen wrote:
> On 2018/7/10 6:29, Tomas Bortoli wrote:
>> The p9_client_version() does not initialize the version
>> pointer. If the call to p9pdu_readf() returns an error and version has not
>> been allocated in p9pdu_readf(), then the program wi
On 07/11/2018 04:04 AM, jiangyiwen wrote:
> On 2018/7/10 3:26, Tomas Bortoli wrote:
>> The pdu_read() function suffers from an integer underflow.
>> When pdu->offset is greater than pdu->size, the length calculation will have
>> a wrong result, resulting in an out-o
Hi,
I spent some time debugging the Syzkaller's found issue at subject:
https://syzkaller.appspot.com/bug?id=b8febdb3c7c8c1f1b606fb903cee66b21b2fd02f
And I've backtracked the UAF to the fact that the cma_listen_on_all()
function adds "id_priv->list" to the global var "listen_any_list" but
then s
24 matches
Mail list logo
