| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Aug 2017 15:59:01 +0300
From: Anton Vasilyev <vasilyev@...ras.ru>
To: Bernie Thompson <bernie@...gable.com>
Cc: Anton Vasilyev <vasilyev@...ras.ru>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>,
linux-fbdev@...r.kernel.org, linux-kernel@...r.kernel.org,
ldv-project@...uxtesting.org
Subject: [PATCH] video: fbdev: udlfb: Fix use after free on dlfb_usb_probe error path
If dlfb_usb_probe drops to error path then there is only one
kref_init() call and no kref_get(), so second kref_put() leads to
use after free.
The patch removes superfluous kref_put on dlfb_usb_probe error path.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Anton Vasilyev <vasilyev@...ras.ru>
---
drivers/video/fbdev/udlfb.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/video/fbdev/udlfb.c b/drivers/video/fbdev/udlfb.c
index 05ef657..f71b49f 100644
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -1655,7 +1655,6 @@ static int dlfb_usb_probe(struct usb_interface *interface,
error:
if (dev) {
- kref_put(&dev->kref, dlfb_free); /* ref for framebuffer */
kref_put(&dev->kref, dlfb_free); /* last ref from kref_init */
/* dev has been deallocated. Do not dereference */
--
2.7.4
Powered by blists - more mailing lists