| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220730034923.25500-1-mailmesebin00@gmail.com>
Date: Sat, 30 Jul 2022 09:16:58 +0530
From: Sebin Sebastian <mailmesebin00@...il.com>
To: unlisted-recipients:; (no To-header on input)
Cc: mailmesebin00@...il.com, Alex Deucher <alexander.deucher@....com>,
Christian König <christian.koenig@....com>,
"Pan, Xinhui" <Xinhui.Pan@....com>,
David Airlie <airlied@...ux.ie>,
Daniel Vetter <daniel@...ll.ch>,
Nirmoy Das <nirmoy.das@....com>,
Lijo Lazar <lijo.lazar@....com>, Evan Quan <evan.quan@....com>,
Tom St Denis <tom.stdenis@....com>,
Somalapuram Amaranath <Amaranath.Somalapuram@....com>,
André Almeida <andrealmeid@...lia.com>,
amd-gfx@...ts.freedesktop.org, dri-devel@...ts.freedesktop.org,
linux-kernel@...r.kernel.org
Subject: [PATCHv2 -next] drm/amdgpu: double free error and freeing uninitialized null pointer
Fix a double free and an uninitialized pointer read error. Both tmp and
new are pointing at same address and both are freed which leads to
double free. Adding a check to verify if new and tmp are free in the
error_free label fixes the double free issue. new is not initialized to
null which also leads to a free on an uninitialized pointer.
Suggested by: S. Amaranath <Amaranath.Somalapuram@....com>
Signed-off-by: Sebin Sebastian <mailmesebin00@...il.com>
---
Changes in v2:
Updated patch body as suggested by André Almeida <andrealmeid@...lia.com>
Reworked to implement a check in error_free for fixing double free error
as suggested by S. Amaranath <Amaranath.Somalapuram@....com>
drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
index e2eec985adb3..cb00c7d6f50b 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
@@ -1705,7 +1705,7 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
{
struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private;
char reg_offset[11];
- uint32_t *new, *tmp = NULL;
+ uint32_t *new = NULL, *tmp = NULL;
int ret, i = 0, len = 0;
do {
@@ -1747,7 +1747,8 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
ret = size;
error_free:
- kfree(tmp);
+ if (tmp != new)
+ kfree(tmp);
kfree(new);
return ret;
}
--
2.34.1
Powered by blists - more mailing lists