| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20211104153253.23941-1-cyeaa@connect.ust.hk>
Date: Thu, 4 Nov 2021 08:32:53 -0700
From: Chengfeng Ye <cyeaa@...nect.ust.hk>
To: stefanr@...6.in-berlin.de
Cc: linux1394-devel@...ts.sourceforge.net,
linux-kernel@...r.kernel.org, Chengfeng Ye <cyeaa@...nect.ust.hk>
Subject: [PATCH] firewire: fix potential uaf in outbound_phy_packet_callback()
&e->event and e point to the same address, and &e->event could
be freed in queue_event. So there is a potential uaf issue if
we dereference e after calling queue_event(). Fix this by adding
a temporary variable to maintain e->client in advance, this can
avoid the potential uaf issue.
Signed-off-by: Chengfeng Ye <cyeaa@...nect.ust.hk>
---
drivers/firewire/core-cdev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index 9f89c17730b1..2f47e31918f0 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -1516,9 +1516,10 @@ static void outbound_phy_packet_callback(struct fw_packet *packet,
}
e->phy_packet.data[0] = packet->timestamp;
+ struct client *e_client = e->client;
queue_event(e->client, &e->event, &e->phy_packet,
sizeof(e->phy_packet) + e->phy_packet.length, NULL, 0);
- client_put(e->client);
+ client_put(e_client);
}
static int ioctl_send_phy_packet(struct client *client, union ioctl_arg *arg)
--
2.17.1
Powered by blists - more mailing lists