| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Jun 2022 15:06:17 +0200
From: Pavel Machek <pavel@...x.de>
To: Sasha Levin <sashal@...nel.org>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
Liang He <windhl@....com>,
Thomas Bogendoerfer <tsbogend@...ha.franken.de>,
yangtiezhu@...ngson.cn, linux-mips@...r.kernel.org
Subject: Re: [PATCH AUTOSEL 4.9 11/13] mips/pic32/pic32mzda: Fix refcount
leak bugs
Hi!
> From: Liang He <windhl@....com>
>
> [ Upstream commit eb9e9bc4fa5fb489c92ec588b3fb35f042ba6d86 ]
>
> of_find_matching_node(), of_find_compatible_node() and
> of_find_node_by_path() will return node pointers with refcout
> incremented. We should call of_node_put() when they are not
> used anymore.
It looks like this may introduces an use-after-free bug:
> +++ b/arch/mips/pic32/pic32mzda/init.c
> @@ -131,13 +131,18 @@ static int __init pic32_of_prepare_platform_data(struct of_dev_auxdata *lookup)
> np = of_find_compatible_node(NULL, NULL, lookup->compatible);
> if (np) {
> lookup->name = (char *)np->name;
> - if (lookup->phys_addr)
> + if (lookup->phys_addr) {
> + of_node_put(np);
> continue;
> + }
> if (!of_address_to_resource(np, 0, &res))
> lookup->phys_addr = res.start;
> + of_node_put(np);
> }
> }
lookup->name now contains pointer taken from np->name, but we did
put() on the np. What guarantees np->name is not freed?
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)
Powered by blists - more mailing lists