github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 05:55:44 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
ba751f0d25
linux/drivers/mtd
History
Zhihao Cheng 6d8d3f68cb ubi: ubi_create_volume: Fix use-after-free when volume creation failed 
[ Upstream commit 8c03a1c21d ]

There is an use-after-free problem for 'eba_tbl' in ubi_create_volume()'s
error handling path:

  ubi_eba_replace_table(vol, eba_tbl)
    vol->eba_tbl = tbl
out_mapping:
  ubi_eba_destroy_table(eba_tbl)   // Free 'eba_tbl'
out_unlock:
  put_device(&vol->dev)
    vol_release
      kfree(tbl->entries)	  // UAF

Fix it by removing redundant 'eba_tbl' releasing.
Fetch a reproducer in [Link].

Fixes: 493cfaeaa0 ("mtd: utilize new cdev_device_add helper function")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=215965
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-06-14 18:32:35 +02:00
..
chips mtd: cfi_cmdset_0002: Use chip_ready() for write on S29GL064N 2022-06-09 10:21:25 +02:00
devices
hyperbus mtd: hyperbus: rpc-if: fix bug in rpcif_hb_remove 2022-01-27 10:53:50 +01:00
lpddr
maps mtd: fixup CFI on ixp4xx 2022-01-20 09:17:52 +01:00
nand mtd: rawnand: cadence: fix possible null-ptr-deref in cadence_nand_dt_probe() 2022-06-09 10:21:04 +02:00
parsers mtd: partitions: redboot: seek fis-index-block in the right node 2021-07-14 16:56:38 +02:00
spi-nor mtd: spi-nor: core: Check written SR value in spi_nor_write_16bit_sr_and_check() 2022-06-09 10:21:03 +02:00
tests
ubi ubi: ubi_create_volume: Fix use-after-free when volume creation failed 2022-06-14 18:32:35 +02:00
ftl.c
inftlcore.c
inftlmount.c
Kconfig
Makefile
mtd_blkdevs.c
mtdblock_ro.c
mtdblock.c
mtdchar.c mtd: require write permissions for locking and badblock ioctls 2021-05-14 09:50:13 +02:00
mtdconcat.c mtd: mtdconcat: Check _read, _write callbacks existence before assignment 2021-09-22 12:28:03 +02:00
mtdcore.c mtd: core: don't remove debugfs directory if device is in use 2021-11-18 14:04:23 +01:00
mtdcore.h
mtdoops.c
mtdpart.c mtd: Fixed breaking list in __mtd_del_partition. 2022-01-27 10:53:41 +01:00
mtdpstore.c
mtdsuper.c
mtdswap.c
nftlcore.c
nftlmount.c
rfd_ftl.c
sm_ftl.c
sm_ftl.h
ssfdc.c