On Thu, 24 May 2001, Dawson Engler wrote:
> Boilerplate disclaimer:
> - this is part of a one-time large batch of errors. In the future,
> we'll send out incremental bug reports along with a pointer to
> the bug database on our website.
Personally, I'd like to see
Alan Cox wrote:
>
>> return;
>>
>/u2/engler/mc/oses/linux/2.4.4-ac8/drivers/char/drm/gamma_dma.c:573:gamma_dma_send_buffers:
> ERROR:FREE:561:573: WARN: Use-after-free of "last_buf"! set by 'drm_free_buffer':561
>> DRM_DEBUG("%d running\n", current->pid);
>
>
> Left
Here's the patch to fix the io_edgeport driver. Johannes, please send
this to Linus, it's against 2.4.5-pre5.
thanks,
greg k-h
diff -Nru a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
--- a/drivers/usb/serial/io_edgeport.c Thu May 24 23:18:56 2001
+++
Here's the patch to fix the io_edgeport driver. Johannes, please send
this to Linus, it's against 2.4.5-pre5.
thanks,
greg k-h
diff -Nru a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
--- a/drivers/usb/serial/io_edgeport.c Thu May 24 23:18:56 2001
+++
Alan Cox wrote:
return;
/u2/engler/mc/oses/linux/2.4.4-ac8/drivers/char/drm/gamma_dma.c:573:gamma_dma_send_buffers:
ERROR:FREE:561:573: WARN: Use-after-free of last_buf! set by 'drm_free_buffer':561
DRM_DEBUG(%d running\n, current-pid);
Left for the XFree
On Thu, 24 May 2001, Dawson Engler wrote:
Boilerplate disclaimer:
- this is part of a one-time large batch of errors. In the future,
we'll send out incremental bug reports along with a pointer to
the bug database on our website.
Personally, I'd like to see these
> > > Error --->
> > > p, p->RIOHosts, p->RIOPortp, rio_termios, rio_termios);
> >
> > Not a bug - you need to teach your code that printf has formats that print the
> > value of a pointer not dereference it
> >
>
> Take another look. p is potentially bogus here, meaning
Alan Cox writes:
> > [BUG] seems possible --- or is some precondition guarenteed?
> > /u2/engler/mc/oses/linux/2.4.4-ac8/net/ipv6/udp.c:438:udpv6_recvmsg:
>ERROR:FREE:453:438: WARN: Use-after-free of "skb"! set by 'kfree_skb':453
>
> Looks right. Left for DaveM
It's wrong, in the
> [BUG] [fixed in 2.4.4]
> /u2/engler/mc/oses/linux/2.4.4-ac8/drivers/block/cciss.c:686:cciss_ioctl:
>ERROR:FREE:682:686: WARN: Use-after-free of "c"! set by 'cmd_free':682 [type=SECURITY]
> {
> /* Copy the data out of the buffer we created */
>
On Thu, 24 May 2001, Dawson Engler wrote:
> Hi All,
>
> Enclosed are 24 bugs where code uses memory that has been freed. The
> good thing about these bugs is that they are easy to fix. (Note: About
> 5 of these have had patches submitted, so this list is a bit out of
> date.)
Enclosed is a
On Thu, 24 May 2001, Dawson Engler wrote:
> [BUG] [BAD] Returns a freed pointer -- very very bad.
... and easy to fix.
> /u2/engler/mc/oses/linux/2.4.4/fs/proc/generic.c:438:proc_symlink:
>ERROR:FREE:430:438: WARN: Use-after-free of "ent"! set by 'kfree':430
> ent->namelen = len;
>
Hi All,
Enclosed are 24 bugs where code uses memory that has been freed. The
good thing about these bugs is that they are easy to fix. (Note: About
5 of these have had patches submitted, so this list is a bit out of
date.)
Summary
2.4.4ac8-specific errors = 4
2.4.4-specific
Hi All,
Enclosed are 24 bugs where code uses memory that has been freed. The
good thing about these bugs is that they are easy to fix. (Note: About
5 of these have had patches submitted, so this list is a bit out of
date.)
Summary
2.4.4ac8-specific errors = 4
2.4.4-specific
On Thu, 24 May 2001, Dawson Engler wrote:
[BUG] [BAD] Returns a freed pointer -- very very bad.
... and easy to fix.
/u2/engler/mc/oses/linux/2.4.4/fs/proc/generic.c:438:proc_symlink:
ERROR:FREE:430:438: WARN: Use-after-free of ent! set by 'kfree':430
ent-namelen = len;
Error ---
p, p-RIOHosts, p-RIOPortp, rio_termios, rio_termios);
Not a bug - you need to teach your code that printf has formats that print the
value of a pointer not dereference it
Take another look. p is potentially bogus here, meaning those p-RIOHosts and
Alan Cox writes:
[BUG] seems possible --- or is some precondition guarenteed?
/u2/engler/mc/oses/linux/2.4.4-ac8/net/ipv6/udp.c:438:udpv6_recvmsg:
ERROR:FREE:453:438: WARN: Use-after-free of skb! set by 'kfree_skb':453
Looks right. Left for DaveM
It's wrong, in the MSG_PEEK case
[BUG] [fixed in 2.4.4]
/u2/engler/mc/oses/linux/2.4.4-ac8/drivers/block/cciss.c:686:cciss_ioctl:
ERROR:FREE:682:686: WARN: Use-after-free of c! set by 'cmd_free':682 [type=SECURITY]
{
/* Copy the data out of the buffer we created */
On Thu, 24 May 2001, Dawson Engler wrote:
Hi All,
Enclosed are 24 bugs where code uses memory that has been freed. The
good thing about these bugs is that they are easy to fix. (Note: About
5 of these have had patches submitted, so this list is a bit out of
date.)
Enclosed is a patch
18 matches
Mail list logo
