On Tue, 2014-11-11 at 20:02 -0500, Mathy Vanhoef wrote: > On 11/10/2014 04:08 AM, Oliver Neukum wrote: > > Which means that you are freeing memory that may still be used by DMA > > at this time. > > In addition you have no guarantee that the unlink is indeed finished > > by the time the URB is reused. > > If you wish to take this approach you better forget about this URB > > and allocate a new one and free the buffer from the callback. > > Hi Oliver, > > Good catch. I think the DMA issue is also present in the current driver: it > frees the buffer without unlinking/killing the URB at all. Can a malicious USB Yes, it is present. > device force a timeout to occur (i.e. delay the call to the completion > handler)? If so this might be a use-after-free vulnerability. > > It seems using usb_kill_urb instead of usb_unlink_urb in the patch prevents any > possible use-after-free. Can someone double check? usb_kill_urb() will do the job. Regards Oliver -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
