| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADYN=9+9UrN9R=M5ode43ZkebaDrm8a9m5t1eyAmR+wNhWypMA@mail.gmail.com>
Date: Wed, 6 Mar 2019 18:28:33 +0100
From: Anders Roxell <anders.roxell@...aro.org>
To: Dan Carpenter <dan.carpenter@...cle.com>
Cc: erico.nunes@...acom.ind.br, wsa@...-dreams.de,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: BUG: KASAN: i2c dev use after free
On Mon, 4 Mar 2019 at 16:37, Dan Carpenter <dan.carpenter@...cle.com> wrote:
>
> I wasn't trying to fix anything so complicated as this, it was a
> more obvious use after free. It does feel intuitively that we should
> call device_destroy() before the cdev_del() so that it's in the reverse
> order from how it was allocated but I don't see any reason to think
> that will make a difference.
No that didn't make any difference... =/
>
> ---
> drivers/i2c/i2c-dev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
> index 3f7b9af11137..7e85e2cf26c1 100644
> --- a/drivers/i2c/i2c-dev.c
> +++ b/drivers/i2c/i2c-dev.c
> @@ -687,9 +687,9 @@ static int i2cdev_detach_adapter(struct device *dev, void *dummy)
> if (!i2c_dev) /* attach_adapter must have failed */
> return 0;
>
> + device_destroy(i2c_dev_class, MKDEV(I2C_MAJOR, adap->nr));
> cdev_del(&i2c_dev->cdev);
> put_i2c_dev(i2c_dev);
> - device_destroy(i2c_dev_class, MKDEV(I2C_MAJOR, adap->nr));
>
> pr_debug("i2c-dev: adapter [%s] unregistered\n", adap->name);
> return 0;
> --
> 2.17.1
>
Powered by blists - more mailing lists