lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <875xkzfj7l.fsf@bootlin.com>
Date: Mon, 24 Feb 2025 16:36:30 +0100
From: Miquel Raynal <miquel.raynal@...tlin.com>
To: Ma Ke <make24@...as.ac.cn>
Cc: richard@....at,  vigneshr@...com,  David.Woodhouse@...el.com,
  jarkko.lavinen@...ia.com,  linux-mtd@...ts.infradead.org,
  linux-kernel@...r.kernel.org,  stable@...r.kernel.org
Subject: Re: [PATCH] mtd: Fix potential UAF for mtdswap_dev pointers

Hello Ma,

On 24/02/2025 at 21:30:07 +08, Ma Ke <make24@...as.ac.cn> wrote:

> In the mtdswap_init(), if the allocations fail, the error handling
> path frees d->page_buf, d->eb_data, d->revmap and d->page_data without
> setting these pointers to NULL. This could lead to UAF if subsequent
> error handling or device reset operations attempt to release these
> pointers again.
>
> Set d->page_buf, d->eb_data, d->revmap and d->page_data to NULL
> immediately after freeing them to prevent misuse. Release immediately
> and set to NULL, adhering to the 'release implies invalid' defensive
> programming principle.
>
> Found by code review.
>
> Cc: stable@...r.kernel.org
> Fixes: a32159024620 ("mtd: Add mtdswap block driver")

I am sorry but are you really fixing something? There are thousand of
drivers doing nothing with their freed pointers in the error path,
because they just cannot be used anymore.

Thanks,
Miquèl

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ