| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Apr 2021 08:46:51 +0800
From: quanyang.wang@...driver.com
To: Mark Brown <broonie@...nel.org>,
Michal Simek <michal.simek@...inx.com>,
Amit Kumar Mahapatra <amit.kumar-mahapatra@...inx.com>
Cc: linux-spi@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
linux-kernel@...r.kernel.org,
Quanyang Wang <quanyang.wang@...driver.com>
Subject: [PATCH 4/5] spi: spi-zynqmp-gqspi: fix use-after-free in zynqmp_qspi_exec_op
From: Quanyang Wang <quanyang.wang@...driver.com>
When handling op->addr, it is using the buffer "tmpbuf" which has been
freed. This will trigger a use-after-free KASAN warning. Let's use
temporary variables to store op->addr.val and op->cmd.opcode to fix
this issue.
Fixes: 1c26372e5aa9 ("spi: spi-zynqmp-gqspi: Update driver to use spi-mem framework")
Signed-off-by: Quanyang Wang <quanyang.wang@...driver.com>
---
drivers/spi/spi-zynqmp-gqspi.c | 14 ++++----------
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/drivers/spi/spi-zynqmp-gqspi.c b/drivers/spi/spi-zynqmp-gqspi.c
index 2e2607b5dee9..419bc1e6358b 100644
--- a/drivers/spi/spi-zynqmp-gqspi.c
+++ b/drivers/spi/spi-zynqmp-gqspi.c
@@ -928,8 +928,9 @@ static int zynqmp_qspi_exec_op(struct spi_mem *mem,
struct zynqmp_qspi *xqspi = spi_controller_get_devdata
(mem->spi->master);
int err = 0, i;
- u8 *tmpbuf;
u32 genfifoentry = 0;
+ u16 opcode = op->cmd.opcode;
+ u64 opaddr;
dev_dbg(xqspi->dev, "cmd:%#x mode:%d.%d.%d.%d\n",
op->cmd.opcode, op->cmd.buswidth, op->addr.buswidth,
@@ -942,14 +943,8 @@ static int zynqmp_qspi_exec_op(struct spi_mem *mem,
genfifoentry |= xqspi->genfifobus;
if (op->cmd.opcode) {
- tmpbuf = kzalloc(op->cmd.nbytes, GFP_KERNEL | GFP_DMA);
- if (!tmpbuf) {
- mutex_unlock(&xqspi->op_lock);
- return -ENOMEM;
- }
- tmpbuf[0] = op->cmd.opcode;
reinit_completion(&xqspi->data_completion);
- xqspi->txbuf = tmpbuf;
+ xqspi->txbuf = &opcode;
xqspi->rxbuf = NULL;
xqspi->bytes_to_transfer = op->cmd.nbytes;
xqspi->bytes_to_receive = 0;
@@ -963,13 +958,12 @@ static int zynqmp_qspi_exec_op(struct spi_mem *mem,
if (!wait_for_completion_timeout
(&xqspi->data_completion, msecs_to_jiffies(1000))) {
err = -ETIMEDOUT;
- kfree(tmpbuf);
goto return_err;
}
- kfree(tmpbuf);
}
if (op->addr.nbytes) {
+ xqspi->txbuf = &opaddr;
for (i = 0; i < op->addr.nbytes; i++) {
*(((u8 *)xqspi->txbuf) + i) = op->addr.val >>
(8 * (op->addr.nbytes - i - 1));
--
2.25.1
Powered by blists - more mailing lists