lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <c2b7264f-c533-2d80-e41e-a7019aefb602@datenfreihafen.org>
Date:   Sat, 7 Oct 2023 20:42:46 +0200
From:   Stefan Schmidt <stefan@...enfreihafen.org>
To:     Dinghao Liu <dinghao.liu@....edu.cn>
Cc:     stable@...r.kernel.org, Alexander Aring <alex.aring@...il.com>,
        Miquel Raynal <miquel.raynal@...tlin.com>,
        "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        Harry Morris <harrymorris12@...il.com>,
        Marcel Holtmann <marcel@...tmann.org>,
        linux-wpan@...r.kernel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] [v4] ieee802154: ca8210: Fix a potential UAF in
 ca8210_probe

Hello.

On 07.10.23 05:30, Dinghao Liu wrote:
> If of_clk_add_provider() fails in ca8210_register_ext_clock(),
> it calls clk_unregister() to release priv->clk and returns an
> error. However, the caller ca8210_probe() then calls ca8210_remove(),
> where priv->clk is freed again in ca8210_unregister_ext_clock(). In
> this case, a use-after-free may happen in the second time we call
> clk_unregister().
> 
> Fix this by removing the first clk_unregister(). Also, priv->clk could
> be an error code on failure of clk_register_fixed_rate(). Use
> IS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().
> 
> Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
> Signed-off-by: Dinghao Liu <dinghao.liu@....edu.cn>
> ---
> 
> Changelog:
> 
> v2: -Remove the first clk_unregister() instead of nulling priv->clk.
> 
> v3: -Simplify ca8210_register_ext_clock().
>      -Add a ';' after return in ca8210_unregister_ext_clock().
> 
> v4: -Remove an unused variable 'ret'.


This patch has been applied to the wpan tree and will be
part of the next pull request to net. Thanks!

regards
Stefan Schmidt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ