There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl() function.
A handle has ref count of 1 and two tasks on different cpus calls ION_IOC_FREE
simultaneously.
cpu 0 cpu 1
--
shawn.lin@rock-
> chips.com; de...@driverdev.osuosl.org; linux-ker...@vger.kernel.org;
> eunt...@gmail.com
> Subject: Re: [PATCH v3] staging/android/ion : fix a race condition in the
> ion driver
>
> On 02/23/2016 08:38 PM, EunTaik Lee wrote:
> > There is a use-after-free
There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl()
function.
A handle has ref count of 1 and two tasks on different
cpus calls ION_IOC_FREE simultaneously.
cpu 0 cpu 1
---
t.in; shawn.lin@rock-
> chips.com; de...@driverdev.osuosl.org; linux-ker...@vger.kernel.org;
> eunt...@gmail.com
> Subject: Re: [PATCH v2] staging/android/ion : fix a race condition in the
> ion driver
>
> On 02/19/2016 04:03 AM, EunTaik Lee wrote:
> > There is a use-after-free
There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl()
function.
A handle has ref count of 1 and two tasks on different
cpus calls ION_IOC_FREE simultaneously.
cpu 0 cpu 1
---
There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl()
function.
A handle has ref count of 1 and two tasks on different
cpus calls ION_IOC_FREE simultaneously.
cpu 0 cpu 1
---
2016-02-18 3:54 GMT+09:00 Laura Abbott :
> On 02/16/2016 10:32 PM, EunTaik Lee wrote:
>> There was a use-after-free problem in the ion driver.
>>
>> The problem is detected as an unaligned access in the
>> spin lock functions since it uses load exclusive
>> instr
There was a use-after-free problem in the ion driver.
The problem is detected as an unaligned access in the
spin lock functions since it uses load exclusive
instruction. In some cases it corrupts the slub's
free pointer which causes a unaligned access to the
next free pointer.(thus the kmalloc fu
