[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210311135833.GT4332@42.do-not-panic.com>
Date: Thu, 11 Mar 2021 13:58:33 +0000
From: Luis Chamberlain <mcgrof@...nel.org>
To: lyl2019@...l.ustc.edu.cn
Cc: linux-kernel@...r.kernel.org
Subject: Re: Re: [PATCH] lib/test_kmod: Fix a use after free in
register_test_dev_kmod
On Thu, Mar 11, 2021 at 09:31:55PM +0800, lyl2019@...l.ustc.edu.cn wrote:
>
>
>
> > -----原始邮件-----
> > 发件人: "Luis Chamberlain" <mcgrof@...nel.org>
> > 发送时间: 2021-03-11 21:01:08 (星期四)
> > 收件人: "Lv Yunlong" <lyl2019@...l.ustc.edu.cn>
> > 抄送: linux-kernel@...r.kernel.org
> > 主题: Re: [PATCH] lib/test_kmod: Fix a use after free in register_test_dev_kmod
> >
> > On Thu, Mar 11, 2021 at 12:02:46AM -0800, Lv Yunlong wrote:
> > > In register_test_dev_kmod, it calls free_test_dev_kmod() to free
> > > test_dev. But free_test_dev_kmod() can't set the original pointer
> > > test_dev to NULL, because the test_dev was passed by it's value
> > > not reference.
> >
> > Did you actually get a crash or something? If so can you supply the
> > actual log? If this is just an observation and you think this is an
> > issue, specifying that would help during patch review.
> >
> > Luis
> >
> > > Signed-off-by: Lv Yunlong <lyl2019@...l.ustc.edu.cn>
> > > ---
> > > lib/test_kmod.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/lib/test_kmod.c b/lib/test_kmod.c
> > > index 38c250fbace3..aa8a2a563d7e 100644
> > > --- a/lib/test_kmod.c
> > > +++ b/lib/test_kmod.c
> > > @@ -1124,7 +1124,6 @@ static void free_test_dev_kmod(struct kmod_test_device *test_dev)
> > > free_test_dev_info(test_dev);
> > > kmod_config_free(test_dev);
> > > vfree(test_dev);
> > > - test_dev = NULL;
> > > }
> > > }
> > >
> > > @@ -1149,6 +1148,7 @@ static struct kmod_test_device *register_test_dev_kmod(void)
> > > if (ret) {
> > > pr_err("could not register misc device: %d\n", ret);
> > > free_test_dev_kmod(test_dev);
> > > + test_dev = NULL;
> > > goto out;
> > > }
> > >
> > > --
> > > 2.25.1
> > >
> > >
>
> This problem was reported by source code analyzers developed by our Security Lab(Loccs).
This should be included in the commit log, please.
> We have confirmed this issue before submiting the patch.
How was this confirmed exactly.
Luis
Powered by blists - more mailing lists