Revision 647e82dbf85124697be59a4b4cf00c0d38177dcb authored by Andy Shevchenko on 01 September 2022, 11:34:06 UTC, committed by Hans de Goede on 01 September 2022, 15:51:34 UTC
We have to copy only selected fields from the original resource.
Because a PCI device will be removed immediately after getting
its resources, we may not use any allocated data, hence we may
not copy any pointers.
Consider the following scenario:
1/ a caller of p2sb_bar() gets the resource;
2/ the resource has been copied by platform_device_add_data()
in order to create a platform device;
3/ the platform device creation will call for the device driver's
->probe() as soon as a match found;
4/ the ->probe() takes given resources (see 2/) and tries to
access one of its field, i.e. 'name', in the
__devm_ioremap_resource() to create a pretty looking output;
5/ but the 'name' is a dangling pointer because p2sb_bar()
removed a PCI device, which 'name' had been copied to
the caller's memory.
6/ UAF (Use-After-Free) as a result.
Kudos to Mika for the initial analisys of the issue.
Fixes: 9745fb07474f ("platform/x86/intel: Add Primary to Sideband (P2SB) bridge support")
Reported-by: kernel test robot <oliver.sang@intel.com>
Suggested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Link: https://lore.kernel.org/linux-i2c/YvPCbnKqDiL2XEKp@xsang-OptiPlex-9020/
Link: https://lore.kernel.org/linux-i2c/YtjAswDKfiuDfWYs@xsang-OptiPlex-9020/
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20220901113406.65876-1-andriy.shevchenko@linux.intel.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
1 parent 5542dfc
| File | Mode | Size |
|---|---|---|
| appletalk | ||
| arcnet | ||
| bonding | ||
| caif | ||
| can | ||
| dsa | ||
| ethernet | ||
| fddi | ||
| fjes | ||
| hamradio | ||
| hippi | ||
| hyperv | ||
| ieee802154 | ||
| ipa | ||
| ipvlan | ||
| mctp | ||
| mdio | ||
| netdevsim | ||
| pcs | ||
| phy | ||
| plip | ||
| ppp | ||
| slip | ||
| team | ||
| usb | ||
| vmxnet3 | ||
| vxlan | ||
| wan | ||
| wireguard | ||
| wireless | ||
| wwan | ||
| xen-netback | ||
| Kconfig | -rw-r--r-- | 20.5 KB |
| LICENSE.SRC | -rw-r--r-- | 891 bytes |
| Makefile | -rw-r--r-- | 2.5 KB |
| Space.c | -rw-r--r-- | 6.2 KB |
| amt.c | -rw-r--r-- | 88.9 KB |
| bareudp.c | -rw-r--r-- | 20.0 KB |
| dummy.c | -rw-r--r-- | 5.1 KB |
| eql.c | -rw-r--r-- | 14.8 KB |
| geneve.c | -rw-r--r-- | 51.9 KB |
| gtp.c | -rw-r--r-- | 45.2 KB |
| ifb.c | -rw-r--r-- | 10.8 KB |
| loopback.c | -rw-r--r-- | 7.1 KB |
| macsec.c | -rw-r--r-- | 108.0 KB |
| macvlan.c | -rw-r--r-- | 46.8 KB |
| macvtap.c | -rw-r--r-- | 6.3 KB |
| mdio.c | -rw-r--r-- | 17.2 KB |
| mhi_net.c | -rw-r--r-- | 10.9 KB |
| mii.c | -rw-r--r-- | 17.9 KB |
| net_failover.c | -rw-r--r-- | 23.2 KB |
| netconsole.c | -rw-r--r-- | 24.2 KB |
| nlmon.c | -rw-r--r-- | 2.9 KB |
| ntb_netdev.c | -rw-r--r-- | 12.2 KB |
| rionet.c | -rw-r--r-- | 18.4 KB |
| sb1000.c | -rw-r--r-- | 31.0 KB |
| sungem_phy.c | -rw-r--r-- | 29.8 KB |
| tap.c | -rw-r--r-- | 30.6 KB |
| thunderbolt.c | -rw-r--r-- | 35.6 KB |
| tun.c | -rw-r--r-- | 86.1 KB |
| veth.c | -rw-r--r-- | 44.3 KB |
| virtio_net.c | -rw-r--r-- | 107.0 KB |
| vrf.c | -rw-r--r-- | 47.0 KB |
| vsockmon.c | -rw-r--r-- | 3.0 KB |
| xen-netfront.c | -rw-r--r-- | 66.7 KB |
Computing file changes ...
