linux

mirror of https://github.com/hardkernel/linux.git synced 2026-06-05 10:31:46 +09:00

Go to file

Ziyang Xuan 3f25451eae thermal/core: fix a UAF bug in __thermal_cooling_device_register()

[ Upstream commit 0a5c26712f ]

When device_register() return failed, program will goto out_kfree_type
to release 'cdev->device' by put_device(). That will call thermal_release()
to free 'cdev'. But the follow-up processes access 'cdev' continually.
That trggers the UAF bug.

====================================================================
BUG: KASAN: use-after-free in __thermal_cooling_device_register+0x75b/0xa90
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 dump_stack_lvl+0xe2/0x152
 print_address_description.constprop.0+0x21/0x140
 ? __thermal_cooling_device_register+0x75b/0xa90
 kasan_report.cold+0x7f/0x11b
 ? __thermal_cooling_device_register+0x75b/0xa90
 __thermal_cooling_device_register+0x75b/0xa90
 ? memset+0x20/0x40
 ? __sanitizer_cov_trace_pc+0x1d/0x50
 ? __devres_alloc_node+0x130/0x180
 devm_thermal_of_cooling_device_register+0x67/0xf0
 max6650_probe.cold+0x557/0x6aa
......

Freed by task 258:
 kasan_save_stack+0x1b/0x40
 kasan_set_track+0x1c/0x30
 kasan_set_free_info+0x20/0x30
 __kasan_slab_free+0x109/0x140
 kfree+0x117/0x4c0
 thermal_release+0xa0/0x110
 device_release+0xa7/0x240
 kobject_put+0x1ce/0x540
 put_device+0x20/0x30
 __thermal_cooling_device_register+0x731/0xa90
 devm_thermal_of_cooling_device_register+0x67/0xf0
 max6650_probe.cold+0x557/0x6aa [max6650]

Do not use 'cdev' again after put_device() to fix the problem like doing
in thermal_zone_device_register().

[dlezcano]: as requested by Rafael, change the affectation into two statements.

Fixes: 5848376181 ("thermal/drivers/core: Use a char pointer for the cooling device name")
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/r/20211015024504.947520-1-william.xuanziyang@huawei.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

2021-11-18 19:16:33 +01:00

arch

x86/insn: Use get_unaligned() instead of memcpy()

2021-11-18 19:16:30 +01:00

block

block: remove inaccurate requeue check

2021-11-18 19:16:17 +01:00

certs

certs: Add support for using elliptic curve keys for signing modules

2021-08-23 19:55:42 +03:00

crypto

crypto: ecc - fix CRYPTO_DEFAULT_RNG dependency

2021-11-18 19:16:29 +01:00

Documentation

fscrypt: allow 256-bit master keys with AES-256-XTS

2021-11-18 19:16:11 +01:00

drivers

thermal/core: fix a UAF bug in __thermal_cooling_device_register()

2021-11-18 19:16:33 +01:00

erofs: don't trigger WARN() when decompression fails

2021-11-18 19:16:21 +01:00

include

tcp: switch orphan_count to bare per-cpu counters

2021-11-18 19:16:33 +01:00

init

bootconfig: init: Fix memblock leak in xbc_make_cmdline()

2021-10-10 22:27:40 -04:00

ipc

ipc: remove memcg accounting for sops objects in do_semtimedop()

2021-09-14 10:22:11 -07:00

kernel

kernel/sched: Fix sched_fork() access an invalid sched_task_group

2021-11-18 19:16:32 +01:00

lib

bpf/tests: Fix error in tail call limit tests

2021-11-18 19:16:26 +01:00

LICENSES

LICENSES/dual/CC-BY-4.0: Git rid of "smart quotes"

2021-07-15 06:31:24 -06:00

kfence: always use static branches to guard kfence_alloc()

2021-11-12 15:05:49 +01:00

net

tcp: switch orphan_count to bare per-cpu counters

2021-11-18 19:16:33 +01:00

samples

samples/bpf: Fix application of sizeof to pointer

2021-11-18 19:16:18 +01:00

scripts

leaking_addresses: Always print a trailing newline

2021-11-18 19:16:16 +01:00

security

ima: fix deadlock when traversing "ima_default_rules".

2021-11-18 19:16:31 +01:00

sound

ASoC: tegra: Restore AC97 support

2021-11-18 19:16:01 +01:00

tools

x86/insn: Use get_unaligned() instead of memcpy()

2021-11-18 19:16:30 +01:00

usr

.gitignore: prefix local generated files with a slash

2021-05-02 00:43:35 +09:00

virt

KVM: Remove tlbs_dirty

2021-09-23 11:01:12 -04:00

.clang-format

clang-format: Update with the latest for_each macro list

2021-05-12 23:32:39 +02:00

.cocciconfig

scripts: add Linux .cocciconfig for coccinelle

2016-07-22 12:13:39 +02:00

.get_maintainer.ignore

Opt out of scripts/get_maintainer.pl

2019-05-16 10:53:40 -07:00

.gitattributes

.gitattributes: use 'dts' diff driver for dts files

2019-12-04 19:44:11 -08:00

.gitignore

.gitignore: ignore only top-level modules.builtin

2021-05-02 00:43:35 +09:00

.mailmap

mailmap: add Andrej Shadura

2021-10-18 20:22:03 -10:00

COPYING

COPYING: state that all contributions really are covered by this file

2020-02-10 13:32:20 -08:00

CREDITS

MAINTAINERS: Move Daniel Drake to credits

2021-09-21 08:34:58 +03:00

Kbuild

kbuild: rename hostprogs-y/always to hostprogs/always-y

2020-02-04 01:53:07 +09:00

Kconfig

kbuild: ensure full rebuild when the compiler is updated

2020-05-12 13:28:33 +09:00

MAINTAINERS

Merge tag 'drm-fixes-2021-10-29' of git://anongit.freedesktop.org/drm/drm

2021-10-28 12:17:01 -07:00

Makefile

Linux 5.15.2

2021-11-12 15:05:52 +01:00

README

Drop all 00-INDEX files from Documentation/

2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.