lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 18 Feb 2019 14:57:30 -0500
From:   Sven Van Asbroeck <thesven73@...il.com>
To:     Bjorn Helgaas <bhelgaas@...gle.com>
Cc:     linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org,
        Sinan Kaya <okaya@...nel.org>,
        Frederick Lawler <fred@...dlawl.com>,
        Mika Westerberg <mika.westerberg@...ux.intel.com>,
        Keith Busch <keith.busch@...el.com>
Subject: [PATCH] PCIE/PME: fix possible use-after-free on remove

In remove(), ensure that the pme work cannot run after kfree()
is called. Otherwise, this could result in a use-after-free.

This issue was detected with the help of Coccinelle.

Cc: Sinan Kaya <okaya@...nel.org>
Cc: Frederick Lawler <fred@...dlawl.com>
Cc: Mika Westerberg <mika.westerberg@...ux.intel.com>
Cc: Keith Busch <keith.busch@...el.com>
Signed-off-by: Sven Van Asbroeck <TheSven73@...il.com>
---
 drivers/pci/pcie/pme.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/pci/pcie/pme.c b/drivers/pci/pcie/pme.c
index 0dbcf429089f..87823f669ccc 100644
--- a/drivers/pci/pcie/pme.c
+++ b/drivers/pci/pcie/pme.c
@@ -427,9 +427,12 @@ static int pcie_pme_resume(struct pcie_device *srv)
  */
 static void pcie_pme_remove(struct pcie_device *srv)
 {
+	struct pcie_pme_service_data *data = get_service_data(srv);
+
 	pcie_pme_suspend(srv);
 	free_irq(srv->irq, srv);
-	kfree(get_service_data(srv));
+	cancel_work_sync(&data->work);
+	kfree(data);
 }
 
 static int pcie_pme_runtime_suspend(struct pcie_device *srv)
-- 
2.17.1

Powered by blists - more mailing lists