| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5c22e0b9.10ae8.17863c3eddb.Coremail.lyl2019@mail.ustc.edu.cn>
Date: Wed, 24 Mar 2021 18:24:48 +0800 (GMT+08:00)
From: lyl2019@...l.ustc.edu.cn
To: "Michael Kelley" <mikelley@...rosoft.com>
Cc: "KY Srinivasan" <kys@...rosoft.com>,
"Haiyang Zhang" <haiyangz@...rosoft.com>,
"Stephen Hemminger" <sthemmin@...rosoft.com>,
"wei.liu@...nel.org" <wei.liu@...nel.org>,
"linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>,
"dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
"linux-fbdev@...r.kernel.org" <linux-fbdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: RE: [PATCH] video/fbdev: Fix a double free in hvfb_probe
> -----原始邮件-----
> 发件人: "Michael Kelley" <mikelley@...rosoft.com>
> 发送时间: 2021-03-24 02:52:07 (星期三)
> 收件人: "Lv Yunlong" <lyl2019@...l.ustc.edu.cn>, "KY Srinivasan" <kys@...rosoft.com>, "Haiyang Zhang" <haiyangz@...rosoft.com>, "Stephen Hemminger" <sthemmin@...rosoft.com>, "wei.liu@...nel.org" <wei.liu@...nel.org>
> 抄送: "linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>, "dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>, "linux-fbdev@...r.kernel.org" <linux-fbdev@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
> 主题: RE: [PATCH] video/fbdev: Fix a double free in hvfb_probe
>
> From: Lv Yunlong <lyl2019@...l.ustc.edu.cn> Sent: Tuesday, March 23, 2021 12:34 AM
> >
> > In function hvfb_probe in hyperv_fb.c, it calls hvfb_getmem(hdev, info)
> > and return err when info->apertures is freed.
> >
> > In the error1 label of hvfb_probe, info->apertures will be freed twice
> > by framebuffer_release(info).
> >
> > My patch sets info->apertures to NULL after it was freed to avoid
> > double free.
> >
> > Signed-off-by: Lv Yunlong <lyl2019@...l.ustc.edu.cn>
> > ---
> > drivers/video/fbdev/hyperv_fb.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c
> > index c8b0ae676809..2fc9b507e73a 100644
> > --- a/drivers/video/fbdev/hyperv_fb.c
> > +++ b/drivers/video/fbdev/hyperv_fb.c
> > @@ -1032,6 +1032,7 @@ static int hvfb_getmem(struct hv_device *hdev, struct fb_info
> > *info)
> > if (!pdev) {
> > pr_err("Unable to find PCI Hyper-V video\n");
> > kfree(info->apertures);
> > + info->apertures = NULL;
> > return -ENODEV;
> > }
> >
> > @@ -1130,6 +1131,7 @@ static int hvfb_getmem(struct hv_device *hdev, struct fb_info
> > *info)
> > pci_dev_put(pdev);
> > }
> > kfree(info->apertures);
> > + info->apertures = NULL;
> >
> > return 0;
> >
> > @@ -1142,6 +1144,7 @@ static int hvfb_getmem(struct hv_device *hdev, struct fb_info
> > *info)
> > if (!gen2vm)
> > pci_dev_put(pdev);
> > kfree(info->apertures);
> > + info->apertures = NULL;
> >
> > return -ENOMEM;
> > }
> > --
> > 2.25.1
> >
>
> While I think this works, a slightly better solution might be to remove
> all calls to kfree(info->apertures) in hvfb_getmem(), and just let
> framebuffer_release() handle freeing the memory. That's what is
> done in other drivers that follow the fbdev pattern, and it's less
> code overall.
>
> Michael
Ok, i agree with you. Remove all calls to kfree(info->apertures)
in hvfb_getmem() is a better solution.
I will subimt a PATCH v2 for you to review. Thanks.
Powered by blists - more mailing lists