Skip to main content

Browse the archive

https://github.com/torvalds/linux
27 March 2024, 02:37:15 UTC
Revision c1a214ad82d7ac6f19fe48f90b13403b40ead9dc authored by John Hubbard on 23 August 2018, 06:16:58 UTC, committed by Greg Kroah-Hartman on 12 September 2018, 07:14:24 UTC 
mei: fix use-after-free in mei_cl_write
 
KASAN reports a use-after-free during startup, in mei_cl_write:

    BUG: KASAN: use-after-free in mei_cl_write+0x601/0x870 [mei]
       (drivers/misc/mei/client.c:1770)

This is caused by commit 98e70866aacb ("mei: add support for variable
length mei headers."), which changed the return value from len, to
buf->size. That ends up using a stale buf pointer, because blocking
call, the cb (callback) is deleted in me_cl_complete() function.

However, fortunately, len remains unchanged throughout the function
(and I don't see anything else that would require re-reading buf->size
either), so the fix is to simply revert the change, and return len, as
before.

Fixes: 98e70866aacb ("mei: add support for variable length mei headers.")
CC: Arnd Bergmann <arnd@arndb.de>
CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: John Hubbard <jhubbard@nvidia.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent 8d2d893
History
Tip revision: c1a214ad82d7ac6f19fe48f90b13403b40ead9dc authored by John Hubbard on 23 August 2018, 06:16:58 UTC
mei: fix use-after-free in mei_cl_write
Tip revision: c1a214a
File Mode Size
Documentation
LICENSES
arch
block
certs
crypto
drivers
firmware
fs
include
init
ipc
kernel
lib
mm
net
samples
scripts
security
sound
tools
usr
virt
.clang-format -rw-r--r-- 12.8 KB
.cocciconfig -rw-r--r-- 59 bytes
.get_maintainer.ignore -rw-r--r-- 31 bytes
.gitattributes -rw-r--r-- 30 bytes
.gitignore -rw-r--r-- 1.5 KB
.mailmap -rw-r--r-- 9.7 KB
COPYING -rw-r--r-- 423 bytes
CREDITS -rw-r--r-- 96.4 KB
Kbuild -rw-r--r-- 2.2 KB
Kconfig -rw-r--r-- 563 bytes
MAINTAINERS -rw-r--r-- 458.5 KB
Makefile -rw-r--r-- 59.1 KB
README -rw-r--r-- 800 bytes

README

back to top