lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4cd852e0-6d6d-fcb4-6e4c-e6f861f429db@outbound.gmail.com>
Date: Mon, 10 Mar 2025 15:45:46 +0200
From: Eli Billauer <eli.billauer@...il.com>
To: Ma Ke <make24@...as.ac.cn>, arnd@...db.de, gregkh@...uxfoundation.org
Cc: linux-kernel@...r.kernel.org, akpm@...ux-foundation.org,
 stable@...r.kernel.org
Subject: Re: [PATCH] char: xillybus: Fix error handling in
 xillybus_init_chrdev()

Hello,

Thanks for your patch.

However, as far as I understand, applying it will cause a Use After Free 
(UAF) error by cdev_del(), as the call to kobject_put() unwinds the 
memory allocation made by cdev_alloc().

Or have I missed something?

Regards,
    Eli

On 10/03/2025 4:28, Ma Ke wrote:
> After cdev_alloc() succeed and cdev_add() failed, call cdev_del() to
> remove unit->cdev from the system properly.
> 
> Found by code review.
> 
> Cc: stable@...r.kernel.org
> Fixes: 8cb5d216ab33 ("char: xillybus: Move class-related functions to new xillybus_class.c")
> Signed-off-by: Ma Ke <make24@...as.ac.cn>
> ---
>   drivers/char/xillybus/xillybus_class.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/char/xillybus/xillybus_class.c b/drivers/char/xillybus/xillybus_class.c
> index c92a628e389e..045e125ec423 100644
> --- a/drivers/char/xillybus/xillybus_class.c
> +++ b/drivers/char/xillybus/xillybus_class.c
> @@ -105,7 +105,7 @@ int xillybus_init_chrdev(struct device *dev,
>   		dev_err(dev, "Failed to add cdev.\n");
>   		/* kobject_put() is normally done by cdev_del() */
>   		kobject_put(&unit->cdev->kobj);
> -		goto unregister_chrdev;
> +		goto err_cdev;
>   	}
>   
>   	for (i = 0; i < num_nodes; i++) {
> @@ -157,6 +157,7 @@ int xillybus_init_chrdev(struct device *dev,
>   		device_destroy(&xillybus_class, MKDEV(unit->major,
>   						     i + unit->lowest_minor));
>   
> +err_cdev:
>   	cdev_del(unit->cdev);
>   
>   unregister_chrdev:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ