lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250212-spi-offload-fixes-v1-2-e192c69e3bb3@baylibre.com>
Date: Wed, 12 Feb 2025 11:33:13 -0600
From: David Lechner <dlechner@...libre.com>
To: Mark Brown <broonie@...nel.org>, 
 Jonathan Cameron <Jonathan.Cameron@...wei.com>, 
 Nuno Sa <nuno.sa@...log.com>
Cc: linux-spi@...r.kernel.org, linux-kernel@...r.kernel.org, 
 David Lechner <dlechner@...libre.com>, kernel test robot <lkp@...el.com>, 
 Dan Carpenter <dan.carpenter@...aro.org>
Subject: [PATCH 2/2] spi: offload: fix use after free

Fix a use after free bug in devm_spi_offload_get() where a pointer
was dereferenced after being freed. Instead, add a new local variable
to avoid needing to use the resource pointer to access the offload
pointer.

Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
Closes: https://lore.kernel.org/r/202502112344.7ggtFzyn-lkp@intel.com/
Fixes: 5a19e1985d01 ("spi: axi-spi-engine: implement offload support")
Signed-off-by: David Lechner <dlechner@...libre.com>
---
 drivers/spi/spi-offload.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/spi/spi-offload.c b/drivers/spi/spi-offload.c
index df5e963d5ee29d37833559595536a460c530bc81..6bad042fe4373e8b91dae3154ef5e22744a4acd0 100644
--- a/drivers/spi/spi-offload.c
+++ b/drivers/spi/spi-offload.c
@@ -108,6 +108,7 @@ struct spi_offload *devm_spi_offload_get(struct device *dev,
 					 const struct spi_offload_config *config)
 {
 	struct spi_controller_and_offload *resource;
+	struct spi_offload *offload;
 	int ret;
 
 	if (!spi || !config)
@@ -120,18 +121,20 @@ struct spi_offload *devm_spi_offload_get(struct device *dev,
 	if (!resource)
 		return ERR_PTR(-ENOMEM);
 
-	resource->controller = spi->controller;
-	resource->offload = spi->controller->get_offload(spi, config);
-	if (IS_ERR(resource->offload)) {
+	offload = spi->controller->get_offload(spi, config);
+	if (IS_ERR(offload)) {
 		kfree(resource);
-		return resource->offload;
+		return offload;
 	}
 
+	resource->controller = spi->controller;
+	resource->offload = offload;
+
 	ret = devm_add_action_or_reset(dev, spi_offload_put, resource);
 	if (ret)
 		return ERR_PTR(ret);
 
-	return resource->offload;
+	return offload;
 }
 EXPORT_SYMBOL_GPL(devm_spi_offload_get);
 

-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ