| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Dec 2020 23:42:02 +0100
From: Pavel Machek <pavel@....cz>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
Hulk Robot <hulkci@...wei.com>,
Qinglang Miao <miaoqinglang@...wei.com>,
Ulf Hansson <ulf.hansson@...aro.org>,
Sasha Levin <sashal@...nel.org>
Subject: Re: [PATCH 5.10 191/717] memstick: fix a double-free bug in
memstick_check
Hi!
> From: Qinglang Miao <miaoqinglang@...wei.com>
>
> [ Upstream commit e3e9ced5c93803d5b2ea1942c4bf0192622531d6 ]
>
> kfree(host->card) has been called in put_device so that
> another kfree would raise cause a double-free bug.
> +++ b/drivers/memstick/core/memstick.c
> @@ -468,7 +468,6 @@ static void memstick_check(struct work_struct *work)
> host->card = card;
> if (device_register(&card->dev)) {
> put_device(&card->dev);
> - kfree(host->card);
> host->card = NULL;
> }
Does the host->card = NULL need to be removed, too (and following code
refactored)? put_device() needs that pointer to be able to free it and
it can do so asynchronously.
This will cause crashes; they should be easy to reproduce with
CONFIG_DEBUG_KOBJECT_RELEASE due to delay in kobject_release() AFAICT.
Best regards, Pavel
--
http://www.livejournal.com/~pavelmachek
Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)
Powered by blists - more mailing lists