| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <672f03a9-9ffa-c2f8-a369-e958c79a57f3@0.smtp.remotehost.it>
Date: Thu, 26 May 2022 22:03:05 +0200
From: Pascal Ernster <dri-devel@...dfalcon.net>
To: Javier Martinez Canillas <javierm@...hat.com>,
linux-kernel@...r.kernel.org
Cc: Daniel Vetter <daniel.vetter@...ll.ch>,
Helge Deller <deller@....de>,
Thomas Zimmermann <tzimmermann@...e.de>,
dri-devel@...ts.freedesktop.org, linux-fbdev@...r.kernel.org
Subject: Re: [PATCH] fbdev: vesafb: Fix a use-after-free due early fb_info
cleanup
[2022-05-26 21:47:52] Javier Martinez Canillas:
> Commit b3c9a924aab6 ("fbdev: vesafb: Cleanup fb_info in .fb_destroy rather
> than .remove") fixed a use-after-free error due the vesafb driver freeing
> the fb_info in the .remove handler instead of doing it in .fb_destroy.
>
> This can happen if the .fb_destroy callback is executed after the .remove
> callback, since the former tries to access a pointer freed by the latter.
>
> But that change didn't take into account that another possible scenario is
> that .fb_destroy is called before the .remove callback. For example, if no
> process has the fbdev chardev opened by the time the driver is removed.
>
> If that's the case, fb_info will be freed when unregister_framebuffer() is
> called, making the fb_info pointer accessed in vesafb_remove() after that
> to no longer be valid.
>
> To prevent that, move the expression containing the info->par to happen
> before the unregister_framebuffer() function call.
>
> Fixes: b3c9a924aab6 ("fbdev: vesafb: Cleanup fb_info in .fb_destroy rather than .remove")
> Reported-by: Pascal Ernster <dri-devel@...dfalcon.net>
> Signed-off-by: Javier Martinez Canillas <javierm@...hat.com>
Tested on a bare metal machine and on a test VM that had both crashed
when booting a kernel lacking this patch.
Again, thanks a lot for the quick fix! :)
Tested-by: Pascal Ernster <dri-devel@...dfalcon.net>
> ---
>
> drivers/video/fbdev/vesafb.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/video/fbdev/vesafb.c b/drivers/video/fbdev/vesafb.c
> index e25e8de5ff67..929d4775cb4b 100644
> --- a/drivers/video/fbdev/vesafb.c
> +++ b/drivers/video/fbdev/vesafb.c
> @@ -490,11 +490,12 @@ static int vesafb_remove(struct platform_device *pdev)
> {
> struct fb_info *info = platform_get_drvdata(pdev);
>
> - /* vesafb_destroy takes care of info cleanup */
> - unregister_framebuffer(info);
> if (((struct vesafb_par *)(info->par))->region)
> release_region(0x3c0, 32);
>
> + /* vesafb_destroy takes care of info cleanup */
> + unregister_framebuffer(info);
> +
> return 0;
> }
>
Powered by blists - more mailing lists