| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <PH0PR11MB7585ADB11BA022103C6394EFF5EA2@PH0PR11MB7585.namprd11.prod.outlook.com>
Date: Tue, 21 May 2024 00:19:56 +0000
From: "K, Kiran" <kiran.k@...el.com>
To: Su Hui <suhui@...china.com>, "marcel@...tmann.org" <marcel@...tmann.org>,
"luiz.dentz@...il.com" <luiz.dentz@...il.com>, "nathan@...nel.org"
<nathan@...nel.org>, "ndesaulniers@...gle.com" <ndesaulniers@...gle.com>,
"morbo@...gle.com" <morbo@...gle.com>, "justinstitt@...gle.com"
<justinstitt@...gle.com>
CC: "seema.sreemantha@...el.com" <seema.sreemantha@...el.com>,
"linux-bluetooth@...r.kernel.org" <linux-bluetooth@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"llvm@...ts.linux.dev" <llvm@...ts.linux.dev>,
"kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>
Subject: RE: [PATCH 2/2] Bluetooth: btintel: fix use after free problem in
btintel_ppag_callback()
Hi Su Hui,
Thanks for your patch. 'btintel_ppag_callback' has been removed as part of 287da9035b2e.
>-----Original Message-----
>From: Su Hui <suhui@...china.com>
>Sent: Monday, May 20, 2024 7:46 AM
>To: marcel@...tmann.org; luiz.dentz@...il.com; nathan@...nel.org;
>ndesaulniers@...gle.com; morbo@...gle.com; justinstitt@...gle.com
>Cc: Su Hui <suhui@...china.com>; K, Kiran <kiran.k@...el.com>;
>seema.sreemantha@...el.com; linux-bluetooth@...r.kernel.org; linux-
>kernel@...r.kernel.org; llvm@...ts.linux.dev; kernel-janitors@...r.kernel.org
>Subject: [PATCH 2/2] Bluetooth: btintel: fix use after free problem in
>btintel_ppag_callback()
>
>Clang static checker(scan-build) warning:
>drivers/bluetooth/btintel.c:1369:8: Use of memory after it is freed.
>
>'p' is equal to 'buffer.pointer', using of 'p->type' after releasing 'buffer.pointer'
>causes this use after free problem.
>Change the order of releasing buffer.pointer to fix this problem.
>
>Fixes: c585a92b2f9c ("Bluetooth: btintel: Set Per Platform Antenna
>Gain(PPAG)")
>Signed-off-by: Su Hui <suhui@...china.com>
>---
> drivers/bluetooth/btintel.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c index
>f1c101dc0c28..d94a8ccd1428 100644
>--- a/drivers/bluetooth/btintel.c
>+++ b/drivers/bluetooth/btintel.c
>@@ -1364,9 +1364,9 @@ static acpi_status btintel_ppag_callback(acpi_handle
>handle, u32 lvl, void *data
> ppag = (struct btintel_ppag *)data;
>
> if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) {
>- kfree(buffer.pointer);
> bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or
>package count: %d",
> p->type, p->package.count);
>+ kfree(buffer.pointer);
> ppag->status = AE_ERROR;
> return AE_ERROR;
> }
>--
>2.30.2
Thanks,
Kiran
Powered by blists - more mailing lists