| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Mar 2022 08:04:46 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Jianglei Nie <niejianglei2021@....com>
Cc: davem@...emloft.net, caihuoqing@...du.com, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: arc_emac: Fix use after free in arc_mdio_probe()
On Thu, 3 Mar 2022 09:30:22 +0800 Jianglei Nie wrote:
> If bus->state is equal to MDIOBUS_ALLOCATED, mdiobus_free(bus) will free
> the "bus". But bus->name is still used in the next line, which will lead
> to a use after free.
>
> We can fix it by assigning dev_err_probe() to dev_err before the bus is
> freed to avoid the uaf.
>
> Signed-off-by: Jianglei Nie <niejianglei2021@....com>
> ---
> drivers/net/ethernet/arc/emac_mdio.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/arc/emac_mdio.c b/drivers/net/ethernet/arc/emac_mdio.c
> index 9acf589b1178..795a25c5848a 100644
> --- a/drivers/net/ethernet/arc/emac_mdio.c
> +++ b/drivers/net/ethernet/arc/emac_mdio.c
> @@ -165,9 +165,10 @@ int arc_mdio_probe(struct arc_emac_priv *priv)
>
> error = of_mdiobus_register(bus, priv->dev->of_node);
> if (error) {
> - mdiobus_free(bus);
> - return dev_err_probe(priv->dev, error,
> + int dev_err = dev_err_probe(priv->dev, error,
> "cannot register MDIO bus %s\n", bus->name);
Bus name is a constant please put it in a local variable:
const char *name = "Synopsys MII Bus";
...
bus->name = name;
and then you can use name in the error message without referring to bus.
> + mdiobus_free(bus);
> + return dev_err;
> }
>
> return 0;
Powered by blists - more mailing lists