lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <49CE61F8.5090303@gmail.com>
Date:	Sat, 28 Mar 2009 18:44:24 +0100
From:	Marcin Slusarz <marcin.slusarz@...il.com>
To:	Dan Carpenter <error27@...il.com>
CC:	LKML <linux-kernel@...r.kernel.org>, eteo@...hat.com,
	Christoph Hellwig <hch@....de>,
	David Woodhouse <dwmw2@...radead.org>
Subject: [PATCH] mtd: fix use after free in register_mtd_blktrans

Dan Carpenter wrote:
> I added a check to smatch (http://repo.or.cz/w/smatch.git/) to check
> for when we dereference
> freed memory.
> 
> (...)
> drivers/mtd/mtd_blkdevs.c +389 register_mtd_blktrans(49) '*tr->blkcore_priv'
> (...)

Fix:
---
From: Marcin Slusarz <marcin.slusarz@...il.com>
Subject: [PATCH] mtd: fix use after free in register_mtd_blktrans

Reported-by: Dan Carpenter <error27@...il.com>
Cc: Christoph Hellwig <hch@....de>
Cc: David Woodhouse <dwmw2@...radead.org>
Signed-off-by: Marcin Slusarz <marcin.slusarz@...il.com>
---
 drivers/mtd/mtd_blkdevs.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/drivers/mtd/mtd_blkdevs.c b/drivers/mtd/mtd_blkdevs.c
index 1409f01..4109e0b 100644
--- a/drivers/mtd/mtd_blkdevs.c
+++ b/drivers/mtd/mtd_blkdevs.c
@@ -382,11 +382,12 @@ int register_mtd_blktrans(struct mtd_blktrans_ops *tr)
 	tr->blkcore_priv->thread = kthread_run(mtd_blktrans_thread, tr,
 			"%sd", tr->name);
 	if (IS_ERR(tr->blkcore_priv->thread)) {
+		int ret = PTR_ERR(tr->blkcore_priv->thread);
 		blk_cleanup_queue(tr->blkcore_priv->rq);
 		unregister_blkdev(tr->major, tr->name);
 		kfree(tr->blkcore_priv);
 		mutex_unlock(&mtd_table_mutex);
-		return PTR_ERR(tr->blkcore_priv->thread);
+		return ret;
 	}
 
 	INIT_LIST_HEAD(&tr->devs);
-- 
1.6.0.6

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ