| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 May 2019 08:33:47 +0300
From: Luca Coelho <luca@...lho.fi>
To: Jia-Ju Bai <baijiaju1990@...il.com>, johannes.berg@...el.com,
emmanuel.grumbach@...el.com, linuxwifi@...el.com,
kvalo@...eaurora.org, davem@...emloft.net
Cc: linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: wireless: iwlwifi: Fix double-free problems in
iwl_req_fw_callback()
On Sat, 2019-05-04 at 17:33 +0800, Jia-Ju Bai wrote:
> In the error handling code of iwl_req_fw_callback(),
> iwl_dealloc_ucode()
> is called to free data. In iwl_drv_stop(), iwl_dealloc_ucode() is
> called
> again, which can cause double-free problems.
>
> To fix this bug, the call to iwl_dealloc_ucode() in
> iwl_req_fw_callback() is deleted.
>
> This bug is found by a runtime fuzzing tool named FIZZER written by
> us.
>
> Signed-off-by: Jia-Ju Bai <baijiaju1990@...il.com>
> ---
> drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
> b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
> index 689a65b11cc3..4fd1737d768b 100644
> --- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
> +++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
> @@ -1579,7 +1579,6 @@ static void iwl_req_fw_callback(const struct
> firmware *ucode_raw, void *context)
> goto free;
>
> out_free_fw:
> - iwl_dealloc_ucode(drv);
> release_firmware(ucode_raw);
> out_unbind:
> complete(&drv->request_firmware_complete);
Thanks! Applied to our internal tree and will reach the mainline
following our normal upstreaming process.
--
Cheers,
Luca.
Powered by blists - more mailing lists