lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 21 May 2024 00:19:56 +0000
From: "K, Kiran" <kiran.k@...el.com>
To: Su Hui <suhui@...china.com>, "marcel@...tmann.org" <marcel@...tmann.org>,
	"luiz.dentz@...il.com" <luiz.dentz@...il.com>, "nathan@...nel.org"
	<nathan@...nel.org>, "ndesaulniers@...gle.com" <ndesaulniers@...gle.com>,
	"morbo@...gle.com" <morbo@...gle.com>, "justinstitt@...gle.com"
	<justinstitt@...gle.com>
CC: "seema.sreemantha@...el.com" <seema.sreemantha@...el.com>,
	"linux-bluetooth@...r.kernel.org" <linux-bluetooth@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"llvm@...ts.linux.dev" <llvm@...ts.linux.dev>,
	"kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>
Subject: RE: [PATCH 2/2]  Bluetooth: btintel: fix use after free problem in
 btintel_ppag_callback()

Hi Su Hui,

Thanks for your patch. 'btintel_ppag_callback' has been removed as part of 287da9035b2e.

>-----Original Message-----
>From: Su Hui <suhui@...china.com>
>Sent: Monday, May 20, 2024 7:46 AM
>To: marcel@...tmann.org; luiz.dentz@...il.com; nathan@...nel.org;
>ndesaulniers@...gle.com; morbo@...gle.com; justinstitt@...gle.com
>Cc: Su Hui <suhui@...china.com>; K, Kiran <kiran.k@...el.com>;
>seema.sreemantha@...el.com; linux-bluetooth@...r.kernel.org; linux-
>kernel@...r.kernel.org; llvm@...ts.linux.dev; kernel-janitors@...r.kernel.org
>Subject: [PATCH 2/2] Bluetooth: btintel: fix use after free problem in
>btintel_ppag_callback()
>
>Clang static checker(scan-build) warning:
>drivers/bluetooth/btintel.c:1369:8: Use of memory after it is freed.
>
>'p' is equal to 'buffer.pointer', using of 'p->type' after releasing 'buffer.pointer'
>causes this use after free problem.
>Change the order of releasing buffer.pointer to fix this problem.
>
>Fixes: c585a92b2f9c ("Bluetooth: btintel: Set Per Platform Antenna
>Gain(PPAG)")
>Signed-off-by: Su Hui <suhui@...china.com>
>---
> drivers/bluetooth/btintel.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c index
>f1c101dc0c28..d94a8ccd1428 100644
>--- a/drivers/bluetooth/btintel.c
>+++ b/drivers/bluetooth/btintel.c
>@@ -1364,9 +1364,9 @@ static acpi_status btintel_ppag_callback(acpi_handle
>handle, u32 lvl, void *data
> 	ppag = (struct btintel_ppag *)data;
>
> 	if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) {
>-		kfree(buffer.pointer);
> 		bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or
>package count: %d",
> 			    p->type, p->package.count);
>+		kfree(buffer.pointer);
> 		ppag->status = AE_ERROR;
> 		return AE_ERROR;
> 	}
>--
>2.30.2

Thanks,
Kiran


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ