[<prev] [next>] [day] [month] [year] [list]
Message-ID: <896cec0e-53b5-42ce-a273-6954570466e2@stanley.mountain>
Date: Fri, 21 Mar 2025 17:36:09 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Lin Ma <linma@....edu.cn>
Cc: netdev@...r.kernel.org
Subject: [bug report] net: nfc: Fix use-after-free caused by
nfc_llcp_find_local
Hello Lin Ma,
Commit 6709d4b7bc2e ("net: nfc: Fix use-after-free caused by
nfc_llcp_find_local") from Jun 25, 2023 (linux-next), leads to the
following Smatch static checker warning:
net/nfc/llcp_core.c:650 nfc_llcp_general_bytes()
warn: 'local' was already freed. (line 648)
net/nfc/llcp_core.c
634 u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len)
635 {
636 struct nfc_llcp_local *local;
637
638 local = nfc_llcp_find_local(dev);
This takes a reference to local.
639 if (local == NULL) {
640 *general_bytes_len = 0;
641 return NULL;
642 }
643
644 nfc_llcp_build_gb(local);
645
646 *general_bytes_len = local->gb_len;
647
648 nfc_llcp_local_put(local);
Here we drop the reference. Meaning that another thread could easily
drop their reference and then we're in a use after free.
649
--> 650 return local->gb;
The ->gb array is a buffer in the middle of the local array. We
should hold onto the reference and only drop it in the caller when
the caller is finished with ->gb.
651 }
regards,
dan carpenter
Powered by blists - more mailing lists