| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Aug 2019 17:07:42 +0300
From: Roger Quadros <rogerq@...com>
To: Wen Yang <wen.yang99@....com.cn>, <linux-kernel@...r.kernel.org>
CC: <xue.zhihong@....com.cn>, <wang.yi59@....com.cn>,
<cheng.shengyu@....com.cn>, Kishon Vijay Abraham I <kishon@...com>
Subject: Re: [PATCH] phy: ti: am654-serdes: fix an use-after-free in
serdes_am654_clk_register()
On 08/07/2019 09:19, Wen Yang wrote:
> The regmap_node variable is still being used in the syscon_node_to_regmap()
> call after the of_node_put() call, which may result in use-after-free.
>
> Fixes: 71e2f5c5c224 ("phy: ti: Add a new SERDES driver for TI's AM654x SoC")
> Signed-off-by: Wen Yang <wen.yang99@....com.cn>
> Cc: Kishon Vijay Abraham I <kishon@...com>
> Cc: Roger Quadros <rogerq@...com>
> Cc: linux-kernel@...r.kernel.org
Reviewed-by: Roger Quadros <rogerq@...com>
> ---
> drivers/phy/ti/phy-am654-serdes.c | 33 ++++++++++++++++++++++-----------
> 1 file changed, 22 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/phy/ti/phy-am654-serdes.c b/drivers/phy/ti/phy-am654-serdes.c
> index f8edd08..f14f1f0 100644
> --- a/drivers/phy/ti/phy-am654-serdes.c
> +++ b/drivers/phy/ti/phy-am654-serdes.c
> @@ -405,6 +405,7 @@ static int serdes_am654_clk_register(struct serdes_am654 *am654_phy,
> const __be32 *addr;
> unsigned int reg;
> struct clk *clk;
> + int ret = 0;
>
> mux = devm_kzalloc(dev, sizeof(*mux), GFP_KERNEL);
> if (!mux)
> @@ -413,34 +414,40 @@ static int serdes_am654_clk_register(struct serdes_am654 *am654_phy,
> init = &mux->clk_data;
>
> regmap_node = of_parse_phandle(node, "ti,serdes-clk", 0);
> - of_node_put(regmap_node);
> if (!regmap_node) {
> dev_err(dev, "Fail to get serdes-clk node\n");
> - return -ENODEV;
> + ret = -ENODEV;
> + goto out_put_node;
> }
>
> regmap = syscon_node_to_regmap(regmap_node->parent);
> if (IS_ERR(regmap)) {
> dev_err(dev, "Fail to get Syscon regmap\n");
> - return PTR_ERR(regmap);
> + ret = PTR_ERR(regmap);
> + goto out_put_node;
> }
>
> num_parents = of_clk_get_parent_count(node);
> if (num_parents < 2) {
> dev_err(dev, "SERDES clock must have parents\n");
> - return -EINVAL;
> + ret = -EINVAL;
> + goto out_put_node;
> }
>
> parent_names = devm_kzalloc(dev, (sizeof(char *) * num_parents),
> GFP_KERNEL);
> - if (!parent_names)
> - return -ENOMEM;
> + if (!parent_names) {
> + ret = -ENOMEM;
> + goto out_put_node;
> + }
>
> of_clk_parent_fill(node, parent_names, num_parents);
>
> addr = of_get_address(regmap_node, 0, NULL, NULL);
> - if (!addr)
> - return -EINVAL;
> + if (!addr) {
> + ret = -EINVAL;
> + goto out_put_node;
> + }
>
> reg = be32_to_cpu(*addr);
>
> @@ -456,12 +463,16 @@ static int serdes_am654_clk_register(struct serdes_am654 *am654_phy,
> mux->hw.init = init;
>
> clk = devm_clk_register(dev, &mux->hw);
> - if (IS_ERR(clk))
> - return PTR_ERR(clk);
> + if (IS_ERR(clk)) {
> + ret = PTR_ERR(clk);
> + goto out_put_node;
> + }
>
> am654_phy->clks[clock_num] = clk;
>
> - return 0;
> +out_put_node:
> + of_node_put(regmap_node);
> + return ret;
> }
>
> static const struct of_device_id serdes_am654_id_table[] = {
>
--
Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki.
Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki
Powered by blists - more mailing lists