| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 20 Aug 2022 20:05:13 +0300
From: Rustam Subkhankulov <subkhankulov@...ras.ru>
To: Tzung-Bi Shih <tzungbi@...nel.org>
Cc: Benson Leung <bleung@...omium.org>,
Dmitry Torokhov <dmitry.torokhov@...il.com>,
chrome-platform@...ts.linux.dev, linux-kernel@...r.kernel.org,
Alexey Khoroshilov <khoroshilov@...ras.ru>,
ldv-project@...uxtesting.org
Subject: Re: [PATCH] platform/chrome: fix double-free in
chromeos_laptop_prepare()
On Mon, 2022-08-15 at 05:00 +0000, Tzung-Bi Shih wrote:
> Alternatively, I would prefer to fix the double-free by setting
> `i2c_peripherals` to NULL after [1].
Since 'cros_laptop->num_i2c_peripherals' is assigned with nonzero value
(otherwise the code on 'err_out' is not executed), setting
'i2c_peripherals' to NULL after [1] will cause dereferencing of
NULL pointer in chromeos_laptop_destroy() at [2].
[1]:
https://elixir.bootlin.com/linux/v5.19/source/drivers/platform/chrome/chromeos_laptop.c#L787
[2]:
https://elixir.bootlin.com/linux/v5.19/source/drivers/platform/chrome/chromeos_laptop.c#L860
> After a quick glance, I found an invalid memory access at [2] if
> `i2c_peripherals` is NULL (see [3]).
After applying the patch, there will be no invalid memory access at [2]
if 'i2c_peripherals' is NULL, because in this situation
'cros_laptop->num_i2c_peripherals' is zero and there is no single
iteration of the loop.
> Or was the double-free issue
> discovered by
> some static analysis?
Yes, it was discovered by SVACE static analysis tool.
Powered by blists - more mailing lists