github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 14:04:54 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
b9c87ce3bc
linux/drivers/misc
History
Lv Yunlong b9c87ce3bc misc/libmasm/module: Fix two use after free in ibmasm_init_one 
[ Upstream commit 7272b591c4 ]

In ibmasm_init_one, it calls ibmasm_init_remote_input_dev().
Inside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are
allocated by input_allocate_device(), and assigned to
sp->remote.mouse_dev and sp->remote.keybd_dev respectively.

In the err_free_devices error branch of ibmasm_init_one,
mouse_dev and keybd_dev are freed by input_free_device(), and return
error. Then the execution runs into error_send_message error branch
of ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called
to unregister the freed sp->remote.mouse_dev and sp->remote.keybd_dev.

My patch add a "error_init_remote" label to handle the error of
ibmasm_init_remote_input_dev(), to avoid the uaf bugs.

Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Link: https://lore.kernel.org/r/20210426170620.10546-1-lyl2019@mail.ustc.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-07-20 16:05:38 +02:00
..
altera-stapl
c2port
cardreader misc: rtsx: init of rts522a add OCP power off when no card is present 2021-03-04 11:38:32 +01:00
cb710
cxl
echo
eeprom eeprom: idt_89hpesx: Restore printing the unsupported fwnode name 2021-07-14 16:56:44 +02:00
genwqe
habanalabs habanalabs: Fix an error handling path in 'hl_pci_probe()' 2021-07-14 16:56:47 +02:00
ibmasm misc/libmasm/module: Fix two use after free in ibmasm_init_one 2021-07-20 16:05:38 +02:00
lis3lv02d platform/x86: hp_accel: Avoid invoking _INI to speed up resume 2021-06-03 09:00:39 +02:00
lkdtm lkdtm/bugs: XFAIL UNALIGNED_LOAD_STORE_WRITE 2021-07-19 09:45:00 +02:00
mei mei: request autosuspend after sending rx flow control 2021-06-03 09:00:32 +02:00
ocxl
sgi-gru
sgi-xp
ti-st
uacce
vmw_vmci misc: vmw_vmci: explicitly initialize vmci_datagram payload 2021-05-14 09:49:59 +02:00
ad525x_dpot-i2c.c
ad525x_dpot-spi.c
ad525x_dpot.c
ad525x_dpot.h
apds990x.c
apds9802als.c
atmel_tclib.c
atmel-ssc.c
bh1770glc.c
cs5535-mfgpt.c
ds1682.c
dummy-irq.c
enclosure.c
fastrpc.c misc: fastrpc: restrict user apps from sending kernel RPC messages 2021-03-17 17:06:31 +01:00
hisi_hikey_usb.c
hmc6352.c
hpilo.c
hpilo.h
ibmvmc.c
ibmvmc.h
ics932s401.c ics932s401: fix broken handling of errors when word reading fails 2021-05-26 12:06:56 +02:00
isl29003.c
isl29020.c
Kconfig
kgdbts.c kgdb: fix gcc-11 warnings harder 2021-06-03 09:00:31 +02:00
lattice-ecp3-config.c
Makefile
pch_phub.c
pci_endpoint_test.c
phantom.c
pti.c
pvpanic.c misc/pvpanic: Export module FDT device table 2021-03-17 17:06:31 +01:00
qcom-coincell.c
sram-exec.c
sram.c
sram.h
tifm_7xx1.c
tifm_core.c
tsl2550.c
vmw_balloon.c
xilinx_sdfec.c