| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20221117044954.26277-1-yiyang13@huawei.com>
Date: Thu, 17 Nov 2022 12:49:54 +0800
From: Yi Yang <yiyang13@...wei.com>
To: <maarten.lankhorst@...ux.intel.com>, <mripard@...nel.org>,
<tzimmermann@...e.de>, <airlied@...il.com>, <daniel@...ll.ch>,
<eric@...olt.net>, <yiyang13@...wei.com>
CC: <dri-devel@...ts.freedesktop.org>, <linux-kernel@...r.kernel.org>
Subject: [PATCH] drm: Fix possible UAF in drm_addmap_core
smatch report warning as follows:
drivers/gpu/drm/drm_bufs.c:365 drm_addmap_core() warn:
'&list->head' not removed from list
If drm_map_handle() fails in drm_addmap_core(), the list will be
freed, but the list->head will not be removed from dev->maplist,
then list traversal may cause UAF.
Fix by removeing it from list->head before free().
Fixes: 9a298b2acd77 ("drm: Remove memory debugging infrastructure.")
Signed-off-by: Yi Yang <yiyang13@...wei.com>
---
drivers/gpu/drm/drm_bufs.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
index fcca21e8efac..e739e577902c 100644
--- a/drivers/gpu/drm/drm_bufs.c
+++ b/drivers/gpu/drm/drm_bufs.c
@@ -362,6 +362,7 @@ static int drm_addmap_core(struct drm_device *dev, resource_size_t offset,
if (map->type == _DRM_REGISTERS)
iounmap(map->handle);
kfree(map);
+ list_del(&list->head);
kfree(list);
mutex_unlock(&dev->struct_mutex);
return ret;
--
2.17.1
Powered by blists - more mailing lists