[PATCH iio-next] iio: proximity: Fix use-after-free in hx9023s_send

Linux IIO development
 help / color / mirror / Atom feed

* [PATCH iio-next] iio: proximity: Fix use-after-free in hx9023s_send_cfg()
@ 2025-01-07 12:35 Dheeraj Reddy Jonnalagadda
  2025-01-07 16:42 ` David Lechner
  2025-01-12 11:53 ` Jonathan Cameron
  0 siblings, 2 replies; 4+ messages in thread
From: Dheeraj Reddy Jonnalagadda @ 2025-01-07 12:35 UTC (permalink / raw)
  To: jic23, lars
  Cc: jstephan, yasin.lee.x, dan.carpenter, nuno.sa, linux-iio,
	linux-kernel, Dheeraj Reddy Jonnalagadda

Reorder the assignment of fw_size to happen before release_firmware()
to avoid accessing the firmware structure after it's been freed.

Fixes: e9ed97be4fcc ("iio: proximity: hx9023s: Added firmware file parsing functionality")
Closes: https://scan7.scan.coverity.com/#/project-view/52337/11354?selectedIssue=1602791
Signed-off-by: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com>
---
 drivers/iio/proximity/hx9023s.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/iio/proximity/hx9023s.c b/drivers/iio/proximity/hx9023s.c
index e092a935dbac..5aa8e5a22f32 100644
--- a/drivers/iio/proximity/hx9023s.c
+++ b/drivers/iio/proximity/hx9023s.c
@@ -1036,12 +1036,13 @@ static int hx9023s_send_cfg(const struct firmware *fw, struct hx9023s_data *data
 		return -ENOMEM;
 
 	memcpy(bin->data, fw->data, fw->size);
-	release_firmware(fw);
 
 	bin->fw_size = fw->size;
 	bin->fw_ver = bin->data[FW_VER_OFFSET];
 	bin->reg_count = get_unaligned_le16(bin->data + FW_REG_CNT_OFFSET);
 
+	release_firmware(fw);
+
 	return hx9023s_bin_load(data, bin);
 }
 
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH iio-next] iio: proximity: Fix use-after-free in hx9023s_send_cfg()
  2025-01-07 12:35 [PATCH iio-next] iio: proximity: Fix use-after-free in hx9023s_send_cfg() Dheeraj Reddy Jonnalagadda
@ 2025-01-07 16:42 ` David Lechner
  2025-01-12 11:53 ` Jonathan Cameron
  1 sibling, 0 replies; 4+ messages in thread
From: David Lechner @ 2025-01-07 16:42 UTC (permalink / raw)
  To: Dheeraj Reddy Jonnalagadda, jic23, lars
  Cc: jstephan, yasin.lee.x, dan.carpenter, nuno.sa, linux-iio,
	linux-kernel

On 1/7/25 6:35 AM, Dheeraj Reddy Jonnalagadda wrote:
> Reorder the assignment of fw_size to happen before release_firmware()
> to avoid accessing the firmware structure after it's been freed.
> 
> Fixes: e9ed97be4fcc ("iio: proximity: hx9023s: Added firmware file parsing functionality")
> Closes: https://scan7.scan.coverity.com/#/project-view/52337/11354?selectedIssue=1602791
> Signed-off-by: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com>
> ---

Reviewed-by: David Lechner <dlechner@baylibre.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH iio-next] iio: proximity: Fix use-after-free in hx9023s_send_cfg()
  2025-01-07 12:35 [PATCH iio-next] iio: proximity: Fix use-after-free in hx9023s_send_cfg() Dheeraj Reddy Jonnalagadda
  2025-01-07 16:42 ` David Lechner
@ 2025-01-12 11:53 ` Jonathan Cameron
  2025-01-18 17:21   ` Jonathan Cameron
  1 sibling, 1 reply; 4+ messages in thread
From: Jonathan Cameron @ 2025-01-12 11:53 UTC (permalink / raw)
  To: Dheeraj Reddy Jonnalagadda
  Cc: lars, jstephan, yasin.lee.x, dan.carpenter, nuno.sa, linux-iio,
	linux-kernel

On Tue,  7 Jan 2025 18:05:10 +0530
Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com> wrote:

> Reorder the assignment of fw_size to happen before release_firmware()
> to avoid accessing the firmware structure after it's been freed.
> 
> Fixes: e9ed97be4fcc ("iio: proximity: hx9023s: Added firmware file parsing functionality")
> Closes: https://scan7.scan.coverity.com/#/project-view/52337/11354?selectedIssue=1602791
> Signed-off-by: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com>
Gah. I didn't see this until after I'd sent the pull request.
Never mind, we have plenty of time to get this in during the rc1 cycles.

I'll queue it up after rc1.

Thanks,

Jonathan

> ---
>  drivers/iio/proximity/hx9023s.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/iio/proximity/hx9023s.c b/drivers/iio/proximity/hx9023s.c
> index e092a935dbac..5aa8e5a22f32 100644
> --- a/drivers/iio/proximity/hx9023s.c
> +++ b/drivers/iio/proximity/hx9023s.c
> @@ -1036,12 +1036,13 @@ static int hx9023s_send_cfg(const struct firmware *fw, struct hx9023s_data *data
>  		return -ENOMEM;
>  
>  	memcpy(bin->data, fw->data, fw->size);
> -	release_firmware(fw);
>  
>  	bin->fw_size = fw->size;
>  	bin->fw_ver = bin->data[FW_VER_OFFSET];
>  	bin->reg_count = get_unaligned_le16(bin->data + FW_REG_CNT_OFFSET);
>  
> +	release_firmware(fw);
> +
>  	return hx9023s_bin_load(data, bin);
>  }
>  


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH iio-next] iio: proximity: Fix use-after-free in hx9023s_send_cfg()
  2025-01-12 11:53 ` Jonathan Cameron
@ 2025-01-18 17:21   ` Jonathan Cameron
  0 siblings, 0 replies; 4+ messages in thread
From: Jonathan Cameron @ 2025-01-18 17:21 UTC (permalink / raw)
  To: Dheeraj Reddy Jonnalagadda
  Cc: lars, jstephan, yasin.lee.x, dan.carpenter, nuno.sa, linux-iio,
	linux-kernel

On Sun, 12 Jan 2025 11:53:14 +0000
Jonathan Cameron <jic23@kernel.org> wrote:

> On Tue,  7 Jan 2025 18:05:10 +0530
> Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com> wrote:
> 
> > Reorder the assignment of fw_size to happen before release_firmware()
> > to avoid accessing the firmware structure after it's been freed.
> > 
> > Fixes: e9ed97be4fcc ("iio: proximity: hx9023s: Added firmware file parsing functionality")
> > Closes: https://scan7.scan.coverity.com/#/project-view/52337/11354?selectedIssue=1602791
> > Signed-off-by: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com>  
> Gah. I didn't see this until after I'd sent the pull request.
> Never mind, we have plenty of time to get this in during the rc1 cycles.
> 
> I'll queue it up after rc1.
> 
> Thanks,
> 
> Jonathan
I've now queued it but on a fixes tree I can't push out just
yet because it will make a mess of linux-next (it is ahead
of some trees that come later in the merge order for next).

Anyhow, that will all resolve during the merge window and I'll rebase
on rc1.

Thanks,

Jonathan
> 
> > ---
> >  drivers/iio/proximity/hx9023s.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/iio/proximity/hx9023s.c b/drivers/iio/proximity/hx9023s.c
> > index e092a935dbac..5aa8e5a22f32 100644
> > --- a/drivers/iio/proximity/hx9023s.c
> > +++ b/drivers/iio/proximity/hx9023s.c
> > @@ -1036,12 +1036,13 @@ static int hx9023s_send_cfg(const struct firmware *fw, struct hx9023s_data *data
> >  		return -ENOMEM;
> >  
> >  	memcpy(bin->data, fw->data, fw->size);
> > -	release_firmware(fw);
> >  
> >  	bin->fw_size = fw->size;
> >  	bin->fw_ver = bin->data[FW_VER_OFFSET];
> >  	bin->reg_count = get_unaligned_le16(bin->data + FW_REG_CNT_OFFSET);
> >  
> > +	release_firmware(fw);
> > +
> >  	return hx9023s_bin_load(data, bin);
> >  }
> >    
> 
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-01-18 17:21 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-07 12:35 [PATCH iio-next] iio: proximity: Fix use-after-free in hx9023s_send_cfg() Dheeraj Reddy Jonnalagadda
2025-01-07 16:42 ` David Lechner
2025-01-12 11:53 ` Jonathan Cameron
2025-01-18 17:21   ` Jonathan Cameron

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox