| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1456152641-127948-3-git-send-email-heikki.krogerus@linux.intel.com> Date: Mon, 22 Feb 2016 16:50:41 +0200 From: Heikki Krogerus <heikki.krogerus@...ux.intel.com> To: "Rafael J. Wysocki" <rjw@...ysocki.net> Cc: Mika Westerberg <mika.westerberg@...ux.intel.com>, Andy Shevchenko <andriy.shevchenko@...ux.intel.com>, John Youn <John.Youn@...opsys.com>, linux-kernel@...r.kernel.org Subject: [PATCH 2/2] device property: fix for a case of use-after-free In device_remove_property_set(), if the primary fwnode is of type "pset", it has to be set pointing to NULL before calling set_secondary_fwnode(). Otherwise set_secondary_fwnode() will attempt to set the fwnode->secondary member after the fwnode has been freed. Reported-by: John Youn <John.Youn@...opsys.com> Signed-off-by: Heikki Krogerus <heikki.krogerus@...ux.intel.com> --- drivers/base/property.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/base/property.c b/drivers/base/property.c index a163f2c..ddf2987 100644 --- a/drivers/base/property.c +++ b/drivers/base/property.c @@ -820,7 +820,9 @@ void device_remove_property_set(struct device *dev) * the pset. If there is no real firmware node (ACPI/DT) primary * will hold the pset. */ - if (!is_pset_node(fwnode)) + if (is_pset_node(fwnode)) + dev->fwnode = NULL; + else fwnode = fwnode->secondary; if (!IS_ERR(fwnode) && is_pset_node(fwnode)) pset_free_set(to_pset_node(fwnode)); -- 2.7.0
Powered by blists - more mailing lists