OrgACRN
/
acrn-kernel
mirror of https://github.com/projectacrn/acrn-kernel.git
1
0
Fork 0
Code Issues Releases Wiki Activity
acrn-kernel/drivers/mtd/ubi
History
Zhihao Cheng 8c03a1c21d ubi: ubi_create_volume: Fix use-after-free when volume creation failed 
There is an use-after-free problem for 'eba_tbl' in ubi_create_volume()'s
error handling path:

  ubi_eba_replace_table(vol, eba_tbl)
    vol->eba_tbl = tbl
out_mapping:
  ubi_eba_destroy_table(eba_tbl)   // Free 'eba_tbl'
out_unlock:
  put_device(&vol->dev)
    vol_release
      kfree(tbl->entries)	  // UAF

Fix it by removing redundant 'eba_tbl' releasing.
Fetch a reproducer in [Link].

Fixes: 493cfaeaa0 ("mtd: utilize new cdev_device_add helper function")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=215965
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
 		2022-05-27 16:49:41 +02:00
..
Kconfig
Makefile
attach.c
block.c
build.c
cdev.c
debug.c
debug.h
eba.c
fastmap-wl.c ubi: fastmap: Check wl_pool for free peb before wear leveling 2022-05-27 16:49:07 +02:00
fastmap.c ubi: fastmap: Fix high cpu usage of ubi_bgt by making sure wl_pool not empty 2022-05-27 16:46:02 +02:00
gluebi.c
io.c
kapi.c
misc.c
ubi-media.h
ubi.h ubi: fastmap: Fix high cpu usage of ubi_bgt by making sure wl_pool not empty 2022-05-27 16:46:02 +02:00
upd.c
vmt.c ubi: ubi_create_volume: Fix use-after-free when volume creation failed 2022-05-27 16:49:41 +02:00
vtbl.c
wl.c ubi: fastmap: Check wl_pool for free peb before wear leveling 2022-05-27 16:49:07 +02:00
wl.h ubi: fastmap: Check wl_pool for free peb before wear leveling 2022-05-27 16:49:07 +02:00