lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <DM6PR11MB4657A297365AE59DE960AA899BC02@DM6PR11MB4657.namprd11.prod.outlook.com>
Date: Mon, 24 Feb 2025 09:31:27 +0000
From: "Kubalewski, Arkadiusz" <arkadiusz.kubalewski@...el.com>
To: Jiasheng Jiang <jiashengjiangcool@...il.com>, "vadim.fedorenko@...ux.dev"
	<vadim.fedorenko@...ux.dev>, "jiri@...nulli.us" <jiri@...nulli.us>,
	"davem@...emloft.net" <davem@...emloft.net>, "Glaza, Jan"
	<jan.glaza@...el.com>, "Kitszel, Przemyslaw" <przemyslaw.kitszel@...el.com>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: RE: [PATCH] dpll: Add a check before kfree() to match the existing
 check before kmemdup()

Hi Jiasheng, many thanks for the patch!

>From: Jiasheng Jiang <jiashengjiangcool@...il.com>
>Sent: Sunday, February 23, 2025 9:17 PM
>
>When src->freq_supported is not NULL but src->freq_supported_num is 0,
>dst->freq_supported is equal to src->freq_supported.
>In this case, if the subsequent kstrdup() fails, src->freq_supported may

The src->freq_supported is not being freed in this function,
you ment dst->freq_supported?
But also it is not true.
dst->freq_supported is being freed already, this patch adds only additional
condition over it..
>From kfree doc: "If @object is NULL, no operation is performed.".

>be freed without being set to NULL, potentially leading to a
>use-after-free or double-free error.
>

kfree does not set to NULL from what I know. How would it lead to
use-after-free/double-free?
Why the one would use the memory after the function returns -ENOMEM?

I don't think this patch is needed or resolves anything.

Thank you!
Arkadiusz

>Fixes: 830ead5fb0c5 ("dpll: fix pin dump crash for rebound module")
>Cc: <stable@...r.kernel.org> # v6.8+
>Signed-off-by: Jiasheng Jiang <jiashengjiangcool@...il.com>
>---
> drivers/dpll/dpll_core.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>diff --git a/drivers/dpll/dpll_core.c b/drivers/dpll/dpll_core.c
>index 32019dc33cca..7d147adf8455 100644
>--- a/drivers/dpll/dpll_core.c
>+++ b/drivers/dpll/dpll_core.c
>@@ -475,7 +475,8 @@ static int dpll_pin_prop_dup(const struct
>dpll_pin_properties *src,
> err_panel_label:
> 	kfree(dst->board_label);
> err_board_label:
>-	kfree(dst->freq_supported);
>+	if (src->freq_supported_num)
>+		kfree(dst->freq_supported);
> 	return -ENOMEM;
> }
>
>--
>2.25.1


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ