| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Jan 2022 18:33:52 +0000
From: Mark Brown <broonie@...nel.org>
To: Fabio Estevam <festevam@...il.com>
Cc: matthias.schiffer@...tq-group.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] regmap: debugfs: Free debugfs_name buffer after usage
On Thu, Jan 06, 2022 at 02:50:19PM -0300, Fabio Estevam wrote:
> The reason for the duplicate name is that map->debugfs_name is never freed,
> which can cause a directory to be created with the same name used in the
> previous debugfs entry allocation.
> Fix this problem by freeing map->debugfs_name and setting it to NULL
> after its usage.
OK, but what's the logic here? The name is getting thrown away here but
clearly there is a file still so I'm not seeing how anything is going to
clean that file up. That means that if the device gets freed we'll end
up with the old debugfs file hanging around pointing at nothing. Like I
said (originally in response to Matthias' patch but pasted in this
thread as well):
| (we should probably clean up the one with no device but that's not what
| your commit does). I think what you need to look at here is that we
The use after free extends beyond just the filename, we're also loosing
track of the already created file, which does seem to be an existing
bug. To be more explicit this means we need a call to regmap_debugfs_exit()
which will clean up all the existing debugfs stuff before we loose
references to it.
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists