lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250410183450.15514-1-purvayeshi550@gmail.com>
Date: Fri, 11 Apr 2025 00:04:50 +0530
From: Purva Yeshi <purvayeshi550@...il.com>
To: Luca Tettamanti <kronos.it@...il.com>,
	Jean Delvare <jdelvare@...e.com>,
	Guenter Roeck <linux@...ck-us.net>
Cc: linux-hwmon@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Purva Yeshi <purvayeshi550@...il.com>
Subject: [PATCH] hwmon: asus_atk0110: NULL buf.pointer after free

Fix Smatch-detected issue:
drivers/hwmon/asus_atk0110.c:987 atk_enumerate_old_hwmon() error:
double free of 'buf.pointer' (line 966)
drivers/hwmon/asus_atk0110.c:1008 atk_enumerate_old_hwmon() error:
double free of 'buf.pointer' (line 987)

Smatch warns about double free of 'buf.pointer'.
This happens because the same buffer struct is reused multiple times
without resetting the pointer after free. Set buf.pointer = NULL
after each ACPI_FREE to prevent possible use-after-free bugs.

Signed-off-by: Purva Yeshi <purvayeshi550@...il.com>
---
 drivers/hwmon/asus_atk0110.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/hwmon/asus_atk0110.c b/drivers/hwmon/asus_atk0110.c
index c80350e499e9..83ee7f25bb8e 100644
--- a/drivers/hwmon/asus_atk0110.c
+++ b/drivers/hwmon/asus_atk0110.c
@@ -964,6 +964,7 @@ static int atk_enumerate_old_hwmon(struct atk_data *data)
 			count++;
 	}
 	ACPI_FREE(buf.pointer);
+	buf.pointer = NULL;
 
 	/* Temperatures */
 	buf.length = ACPI_ALLOCATE_BUFFER;
@@ -985,6 +986,7 @@ static int atk_enumerate_old_hwmon(struct atk_data *data)
 			count++;
 	}
 	ACPI_FREE(buf.pointer);
+	buf.pointer = NULL;
 
 	/* Fans */
 	buf.length = ACPI_ALLOCATE_BUFFER;
@@ -1006,6 +1008,7 @@ static int atk_enumerate_old_hwmon(struct atk_data *data)
 			count++;
 	}
 	ACPI_FREE(buf.pointer);
+	buf.pointer = NULL;
 
 	return count;
 }
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ