lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ae37b670-a42d-4130-911c-90e0c8b828bc@redhat.com>
Date: Tue, 17 Sep 2024 15:03:56 +0200
From: Hans de Goede <hdegoede@...hat.com>
To: Aleksandr Burakov <a.burakov@...alinux.ru>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org,
 Mark Gross <markgross@...nel.org>
Cc: linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org,
 lvc-patches@...uxtesting.org, platform-driver-x86@...r.kernel.org
Subject: Re: [PATCH 6.1] platform/x86: android-platform: deref after free in
 x86_android_tablet_init() fix

Hi,

Thank you for your patch.

On 9/17/24 2:04 PM, Aleksandr Burakov wrote:
> No upstream commit exists for this commit.

Right, which is bad, especially since the upstream code actually still has this bug.

NACK.

Note that upstream in drivers/platform/x86/x86-android-tablets/core.c
the same issue is also present around line 447:

                pdevs[pdev_count] = platform_device_register_data(&pdev->dev, "gpio-keys",
                                                                  PLATFORM_DEVID_AUTO,
                                                                  &pdata, sizeof(pdata));
                if (IS_ERR(pdevs[pdev_count])) {
                        x86_android_tablet_remove(pdev);
                        return PTR_ERR(pdevs[pdev_count]);
                }
                pdev_count++;

Please submit a fix for both issues upstream, once that has been merged
you can submit a backport with a proper upstream commit reference.

Regards,

Hans





> 
> Pointer '&pdevs[i]' is dereferenced at x86_android_tablet_init()
> after the referenced memory was deallocated by calling function
> 'x86_android_tablet_cleanup()'.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 5eba0141206e ("platform/x86: x86-android-tablets: Add support for instantiating platform-devs")
> Signed-off-by: Aleksandr Burakov <a.burakov@...alinux.ru>
> ---
>  drivers/platform/x86/x86-android-tablets.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/platform/x86/x86-android-tablets.c b/drivers/platform/x86/x86-android-tablets.c
> index 9178076d9d7d..9838c5332201 100644
> --- a/drivers/platform/x86/x86-android-tablets.c
> +++ b/drivers/platform/x86/x86-android-tablets.c
> @@ -1853,8 +1853,9 @@ static __init int x86_android_tablet_init(void)
>  	for (i = 0; i < pdev_count; i++) {
>  		pdevs[i] = platform_device_register_full(&dev_info->pdev_info[i]);
>  		if (IS_ERR(pdevs[i])) {
> +			int ret = PTR_ERR(pdevs[i]);
>  			x86_android_tablet_cleanup();
> -			return PTR_ERR(pdevs[i]);
> +			return ret;
>  		}
>  	}
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ