lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20220516193624.580066845@linuxfoundation.org>
Date:   Mon, 16 May 2022 21:35:54 +0200
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     linux-kernel@...r.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        stable@...r.kernel.org,
        Ville Syrjälä 
        <ville.syrjala@...ux.intel.com>,
        Andrzej Hajda <andrzej.hajda@...el.com>,
        Javier Martinez Canillas <javierm@...hat.com>,
        Andi Shyti <andi.shyti@...ux.intel.com>,
        Thomas Zimmermann <tzimemrmann@...e.de>,
        Lucas De Marchi <lucas.demarchi@...el.com>,
        Sasha Levin <sashal@...nel.org>
Subject: [PATCH 5.15 020/102] fbdev: efifb: Fix a use-after-free due early fb_info cleanup

From: Javier Martinez Canillas <javierm@...hat.com>

[ Upstream commit 1b5853dfab7fdde450f00f145327342238135c8a ]

Commit d258d00fb9c7 ("fbdev: efifb: Cleanup fb_info in .fb_destroy rather
than .remove") attempted to fix a use-after-free error due driver freeing
the fb_info in the .remove handler instead of doing it in .fb_destroy.

But ironically that change introduced yet another use-after-free since the
fb_info was still used after the free.

This should fix for good by freeing the fb_info at the end of the handler.

Fixes: d258d00fb9c7 ("fbdev: efifb: Cleanup fb_info in .fb_destroy rather than .remove")
Reported-by: Ville Syrjälä <ville.syrjala@...ux.intel.com>
Reported-by: Andrzej Hajda <andrzej.hajda@...el.com>
Signed-off-by: Javier Martinez Canillas <javierm@...hat.com>
Reviewed-by: Andi Shyti <andi.shyti@...ux.intel.com>
Reviewed-by: Andrzej Hajda <andrzej.hajda@...el.com>
Reviewed-by: Thomas Zimmermann <tzimemrmann@...e.de>
Signed-off-by: Lucas De Marchi <lucas.demarchi@...el.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220506132225.588379-1-javierm@redhat.com
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
 drivers/video/fbdev/efifb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c
index cfa3dc0b4eee..b3d5f884c544 100644
--- a/drivers/video/fbdev/efifb.c
+++ b/drivers/video/fbdev/efifb.c
@@ -259,12 +259,12 @@ static void efifb_destroy(struct fb_info *info)
 			memunmap(info->screen_base);
 	}
 
-	framebuffer_release(info);
-
 	if (request_mem_succeeded)
 		release_mem_region(info->apertures->ranges[0].base,
 				   info->apertures->ranges[0].size);
 	fb_dealloc_cmap(&info->cmap);
+
+	framebuffer_release(info);
 }
 
 static const struct fb_ops efifb_ops = {
-- 
2.35.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ