lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20210819141249.257945-1-Wentao_Liang_g@163.com>
Date:   Thu, 19 Aug 2021 22:12:49 +0800
From:   Wentao_Liang <Wentao_Liang_g@....com>
To:     dongchun.zhu@...iatek.com
Cc:     mchehab@...nel.org, linux-media@...r.kernel.org,
        linux-kernel@...r.kernel.org, Wentao_Liang <Wentao_Liang_g@....com>
Subject: [PATCH] drivers:media:i2c:ov02a10.c: fix a potential use-after-put bug

In line 825 (#1), "fwnode_handle_put(ep);" drops the reference to ep
and may cause ep to be released. However, ep is subsequently used in
lines 831 (#3) by "ret = fwnode_property_read_u32(ep, "ovti,mipi-clock-
voltage", &clk_volt);". This may result in an use-after-put bug.

It can be fixed by removing "fwnode_handle_put(ep);" in line 825 (#1)
and call it respectively before the function returns (line 827, #2) and
after ep has been used again (line 831, #3).

 806 static int ov02a10_check_hwcfg(struct device *dev,
                              struct ov02a10 *ov02a10)
 807 {
 ...
 825     fwnode_handle_put(ep); //#1 Memory can be released.
 826     if (ret)
 827         return ret;
             //#2 One of the branch ways ends here.
	     //   Function returns.

 ...
 830     ret = fwnode_property_read_u32(ep, "ovti,mipi-clock-voltage",
 831                        &clk_volt);
			//#3 Use of memory after it may be freed.
 ...
 853     return ret;
 854 }

Signed-off-by: Wentao_Liang <Wentao_Liang_g@....com>
---
 drivers/media/i2c/ov02a10.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/media/i2c/ov02a10.c b/drivers/media/i2c/ov02a10.c
index a3ce5500d355..1066a17e9cf8 100644
--- a/drivers/media/i2c/ov02a10.c
+++ b/drivers/media/i2c/ov02a10.c
@@ -822,13 +822,15 @@ static int ov02a10_check_hwcfg(struct device *dev, struct ov02a10 *ov02a10)
 		return -ENXIO;
 
 	ret = v4l2_fwnode_endpoint_alloc_parse(ep, &bus_cfg);
-	fwnode_handle_put(ep);
-	if (ret)
+	if (ret) {
+		fwnode_handle_put(ep);
 		return ret;
+	}
 
 	/* Optional indication of MIPI clock voltage unit */
 	ret = fwnode_property_read_u32(ep, "ovti,mipi-clock-voltage",
 				       &clk_volt);
+	fwnode_handle_put(ep);
 
 	if (!ret)
 		ov02a10->mipi_clock_voltage = clk_volt;
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ