lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 22 Apr 2012 22:13:12 +0200 (CEST)
From:	Jesper Juhl <jj@...osbits.net>
To:	linux-kernel@...r.kernel.org
cc:	Felipe Contreras <felipe.contreras@...il.com>,
	Marek Vasut <marek.vasut@...il.com>,
	Felipe Balbi <balbi@...com>,
	Anton Vorontsov <anton.vorontsov@...aro.org>,
	Heikki Krogerus <heikki.krogerus@...ux.intel.com>,
	Kalle Jokiniemi <kalle.jokiniemi@...ia.com>
Subject: [PATCH] ISP1704 USB Charger: Fix use-after-free error in
 isp1704_charger_probe()

In isp1704_charger_probe() at the 'fail0:' label we kfree(isp) and
then subsequently call isp1704_charger_set_power(isp, 0). That's a
problem since isp1704_charger_set_power() dereferences the pointer it
is passed as its first argument, which is 'isp', which we already
freed.

Fixed by simply swapping the order of the two calls so that we only
kfree() *after* the call to isp1704_charger_set_power().

Signed-off-by: Jesper Juhl <jj@...osbits.net>
---
 drivers/power/isp1704_charger.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/power/isp1704_charger.c b/drivers/power/isp1704_charger.c
index 39eb50f..8a610da 100644
--- a/drivers/power/isp1704_charger.c
+++ b/drivers/power/isp1704_charger.c
@@ -476,11 +476,9 @@ fail2:
 fail1:
 	usb_put_transceiver(isp->phy);
 fail0:
-	kfree(isp);
-
 	dev_err(&pdev->dev, "failed to register isp1704 with error %d\n", ret);
-
 	isp1704_charger_set_power(isp, 0);
+	kfree(isp);
 	return ret;
 }
 
-- 
1.7.10


-- 
Jesper Juhl <jj@...osbits.net>       http://www.chaosbits.net/
Don't top-post http://www.catb.org/jargon/html/T/top-post.html
Plain text mails only, please.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ