lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6eb17b85-1b38-401d-84b6-4e995482d86f@linaro.org>
Date: Thu, 29 Feb 2024 18:57:11 +0100
From: Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>
To: Pratyush Brahma <quic_pbrahma@...cinc.com>,
 Dmitry Baryshkov <dmitry.baryshkov@...aro.org>
Cc: quic_c_gdjako@...cinc.com, andersson@...nel.org, conor+dt@...nel.org,
 devicetree@...r.kernel.org, djakov@...nel.org, iommu@...ts.linux.dev,
 joro@...tes.org, konrad.dybcio@...aro.org,
 krzysztof.kozlowski+dt@...aro.org, linux-arm-kernel@...ts.infradead.org,
 linux-arm-msm@...r.kernel.org, linux-kernel@...r.kernel.org,
 quic_cgoldswo@...cinc.com, quic_pdaly@...cinc.com,
 quic_sudaraja@...cinc.com, quic_sukadev@...cinc.com, robdclark@...il.com,
 robh+dt@...nel.org, robin.murphy@....com, will@...nel.org
Subject: Re: [PATCH 1/1] iommu/arm-smmu-qcom: Fix use-after-free issue in
 qcom_smmu_create()

On 13/02/2024 09:17, Pratyush Brahma wrote:
> 
> On 2/13/2024 1:36 PM, Dmitry Baryshkov wrote:
>> On Tue, 13 Feb 2024 at 08:27, Pratyush Brahma <quic_pbrahma@...cinc.com> wrote:
>>> Currently, during arm smmu probe, struct arm_smmu_device pointer
>>> is allocated. The pointer is reallocated to a new struct qcom_smmu in
>>> qcom_smmu_create() with devm_krealloc() which frees the smmu device
>>> after copying the data into the new pointer.
>>>
>>> The freed pointer is then passed again in devm_of_platform_populate()
>>> inside qcom_smmu_create() which causes a use-after-free issue.
>>>
>>> Fix the use-after-free issue by reassigning the old pointer to
>>> the new pointer where the struct was copied by devm_krealloc().
>>>
>>> Signed-off-by: Pratyush Brahma <quic_pbrahma@...cinc.com>
>> Missing Fixes tag.
> Haven't added as the patchset in-reply-to hasn't been merged to 
> linux-next. Please refer my next reply.

Why do you send patches for work being reviewed? Just perform the
review. It looks like you deliberately want to apply bad code just to
fix it a second later!

Best regards,
Krzysztof


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ