lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Sun, 10 Apr 2016 12:48:27 +0200
From:	Andreas Noever <andreas.noever@...il.com>
To:	helgaas@...nel.org, linux-pci@...r.kernel.org
Cc:	linux-kernel@...r.kernel.org,
	Andreas Noever <andreas.noever@...il.com>,
	Lukas Wunner <lukas@...ner.de>, stable@...r.kernel.org
Subject: [PATCH] thunderbolt: Fix double free of drom buffer

If tb_drom_read fails sw->drom is freed but not set to NULL. sw->drom
is then freed again in the error path of sw_switch_alloc.

The bug can be triggered by unplugging a thunderbolt device shortly
after it is detected by the thunderbolt driver.

Signed-off-by: Andreas Noever <andreas.noever@...il.com>
Cc: Lukas Wunner <lukas@...ner.de>
Cc: stable@...r.kernel.org
---
 drivers/thunderbolt/eeprom.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/thunderbolt/eeprom.c b/drivers/thunderbolt/eeprom.c
index 0dde34e..545c60c 100644
--- a/drivers/thunderbolt/eeprom.c
+++ b/drivers/thunderbolt/eeprom.c
@@ -444,6 +444,7 @@ int tb_drom_read(struct tb_switch *sw)
 	return tb_drom_parse_entries(sw);
 err:
 	kfree(sw->drom);
+	sw->drom = NULL;
 	return -EIO;
 
 }
-- 
2.8.0

Powered by blists - more mailing lists