| From 736e55b6804fb2a12ff216ad9b87a2b2cc068134 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Mon, 26 Apr 2021 10:06:20 -0700 |
| Subject: misc/libmasm/module: Fix two use after free in ibmasm_init_one |
| |
| From: Lv Yunlong <lyl2019@mail.ustc.edu.cn> |
| |
| [ Upstream commit 7272b591c4cb9327c43443f67b8fbae7657dd9ae ] |
| |
| In ibmasm_init_one, it calls ibmasm_init_remote_input_dev(). |
| Inside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are |
| allocated by input_allocate_device(), and assigned to |
| sp->remote.mouse_dev and sp->remote.keybd_dev respectively. |
| |
| In the err_free_devices error branch of ibmasm_init_one, |
| mouse_dev and keybd_dev are freed by input_free_device(), and return |
| error. Then the execution runs into error_send_message error branch |
| of ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called |
| to unregister the freed sp->remote.mouse_dev and sp->remote.keybd_dev. |
| |
| My patch add a "error_init_remote" label to handle the error of |
| ibmasm_init_remote_input_dev(), to avoid the uaf bugs. |
| |
| Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> |
| Link: https://lore.kernel.org/r/20210426170620.10546-1-lyl2019@mail.ustc.edu.cn |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/misc/ibmasm/module.c | 5 +++-- |
| 1 file changed, 3 insertions(+), 2 deletions(-) |
| |
| diff --git a/drivers/misc/ibmasm/module.c b/drivers/misc/ibmasm/module.c |
| index 4edad6c445d3..dc8a06c06c63 100644 |
| --- a/drivers/misc/ibmasm/module.c |
| +++ b/drivers/misc/ibmasm/module.c |
| @@ -111,7 +111,7 @@ static int ibmasm_init_one(struct pci_dev *pdev, const struct pci_device_id *id) |
| result = ibmasm_init_remote_input_dev(sp); |
| if (result) { |
| dev_err(sp->dev, "Failed to initialize remote queue\n"); |
| - goto error_send_message; |
| + goto error_init_remote; |
| } |
| |
| result = ibmasm_send_driver_vpd(sp); |
| @@ -131,8 +131,9 @@ static int ibmasm_init_one(struct pci_dev *pdev, const struct pci_device_id *id) |
| return 0; |
| |
| error_send_message: |
| - disable_sp_interrupts(sp->base_address); |
| ibmasm_free_remote_input_dev(sp); |
| +error_init_remote: |
| + disable_sp_interrupts(sp->base_address); |
| free_irq(sp->irq, (void *)sp); |
| error_request_irq: |
| iounmap(sp->base_address); |
| -- |
| 2.30.2 |
| |