All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: kernel-janitors@vger.kernel.org
Subject: re: device property: fix for a case of use-after-free
Date: Mon, 25 Apr 2016 11:34:08 +0000	[thread overview]
Message-ID: <20160425113408.GA6175@mwanda> (raw)

Hi Heikki Krogerus,

The patch 0d67e0fa1664: "device property: fix for a case of
use-after-free" from Mar 10, 2016, has an issue.

Assume "fwnode" is an ERR_PTR>

drivers/base/property.c
   204  static bool __fwnode_property_present(struct fwnode_handle *fwnode,
   205                                        const char *propname)
   206  {
   207          if (is_of_node(fwnode))
                               ^^^^^^
We dereference it here.

   208                  return of_property_read_bool(to_of_node(fwnode), propname);
   209          else if (is_acpi_node(fwnode))
   210                  return !acpi_node_prop_get(fwnode, propname, NULL);
   211          else if (is_pset_node(fwnode))
   212                  return !!pset_prop_get(to_pset_node(fwnode), propname);
   213          return false;

Some of these depend on the .config but I don't see a path through this
function where fwnode can be an ERR_PTR and we don't oops.

   214  }
   215  
   216  /**
   217   * fwnode_property_present - check if a property of a firmware node is present
   218   * @fwnode: Firmware node whose property to check
   219   * @propname: Name of the property
   220   */
   221  bool fwnode_property_present(struct fwnode_handle *fwnode, const char *propname)
   222  {
   223          bool ret;
   224  
   225          ret = __fwnode_property_present(fwnode, propname);
                                                ^^^^^^^
We oops here.

   226          if (ret = false && !IS_ERR_OR_NULL(fwnode) &&
                                     ^^^^^^^^^^^^^^^^^^^^^^
This check for IS_ERR is too late because we already oopsed on the line
before.

   227              !IS_ERR_OR_NULL(fwnode->secondary))
   228                  ret = __fwnode_property_present(fwnode->secondary, propname);
   229          return ret;
   230  }

regards,
dan carpenter

             reply	other threads:[~2016-04-25 11:34 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-25 11:34 Dan Carpenter [this message]
2016-04-25 13:19 ` device property: fix for a case of use-after-free Heikki Krogerus
2016-04-25 14:19 ` Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160425113408.GA6175@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=kernel-janitors@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.