| Message ID | 20210423152818.97077-1-mlangsdo@redhat.com |
|---|---|
| State | Accepted |
| Commit | e483bb9a991bdae29a0caa4b3a6d002c968f94aa |
| Headers | show |
| Series | ACPI: custom_method: fix potential use-after-free issue | expand |
On Fri, Apr 23, 2021 at 5:28 PM Mark Langsdorf <mlangsdo@redhat.com> wrote: > > In cm_write(), buf is always freed when reaching the end of the > function. If the requested count is less than table.length, the > allocated buffer will be freed but subsequent calls to cm_write() will > still try to access it. > > Remove the unconditional kfree(buf) at the end of the function and > set the buf to NULL in the -EINVAL error path to match the rest of > function. > > Fixes: 03d1571d9513 ("ACPI: custom_method: fix memory leaks") > Signed-off-by: Mark Langsdorf <mlangsdo@redhat.com> > --- > drivers/acpi/custom_method.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c > index 443fdf62dd22..8844f895f9be 100644 > --- a/drivers/acpi/custom_method.c > +++ b/drivers/acpi/custom_method.c > @@ -55,6 +55,7 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf, > (*ppos + count < count) || > (count > uncopied_bytes)) { > kfree(buf); > + buf = NULL; > return -EINVAL; > } > > @@ -76,7 +77,6 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf, > add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE); > } > > - kfree(buf); > return count; > } > > -- Applied as 5.13-rc material, thanks!
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c index 443fdf62dd22..8844f895f9be 100644 --- a/drivers/acpi/custom_method.c +++ b/drivers/acpi/custom_method.c @@ -55,6 +55,7 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf, (*ppos + count < count) || (count > uncopied_bytes)) { kfree(buf); + buf = NULL; return -EINVAL; } @@ -76,7 +77,6 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf, add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE); } - kfree(buf); return count; }
In cm_write(), buf is always freed when reaching the end of the function. If the requested count is less than table.length, the allocated buffer will be freed but subsequent calls to cm_write() will still try to access it. Remove the unconditional kfree(buf) at the end of the function and set the buf to NULL in the -EINVAL error path to match the rest of function. Fixes: 03d1571d9513 ("ACPI: custom_method: fix memory leaks") Signed-off-by: Mark Langsdorf <mlangsdo@redhat.com> --- drivers/acpi/custom_method.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)