From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Takashi Sakamoto <o-takashi@sakamocchi.jp>,
Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 4.19 01/89] firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region
Date: Mon, 20 Feb 2023 14:35:00 +0100 [thread overview]
Message-ID: <20230220133553.119596508@linuxfoundation.org> (raw)
In-Reply-To: <20230220133553.066768704@linuxfoundation.org>
From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
commit 531390a243ef47448f8bad01c186c2787666bf4d upstream.
This patch is fix for Linux kernel v2.6.33 or later.
For request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem
have had an issue of use-after-free. The subsystem allows multiple
user space listeners to the region, while data of the payload was likely
released before the listeners execute read(2) to access to it for copying
to user space.
The issue was fixed by a commit 281e20323ab7 ("firewire: core: fix
use-after-free regression in FCP handler"). The object of payload is
duplicated in kernel space for each listener. When the listener executes
ioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to
be released.
However, it causes memory leak since the commit relies on call of
release_request() in drivers/firewire/core-cdev.c. Against the
expectation, the function is never called due to the design of
release_client_resource(). The function delegates release task
to caller when called with non-NULL fourth argument. The implementation
of ioctl_send_response() is the case. It should release the object
explicitly.
This commit fixes the bug.
Cc: <stable@vger.kernel.org>
Fixes: 281e20323ab7 ("firewire: core: fix use-after-free regression in FCP handler")
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20230117090610.93792-2-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firewire/core-cdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -831,8 +831,10 @@ static int ioctl_send_response(struct cl
r = container_of(resource, struct inbound_transaction_resource,
resource);
- if (is_fcp_request(r->request))
+ if (is_fcp_request(r->request)) {
+ kfree(r->data);
goto out;
+ }
if (a->length != fw_get_response_length(r->request)) {
ret = -EINVAL;
next prev parent reply other threads:[~2023-02-20 13:39 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-20 13:34 [PATCH 4.19 00/89] 4.19.273-rc1 review Greg Kroah-Hartman
2023-02-20 13:35 ` Greg Kroah-Hartman [this message]
2023-02-20 13:35 ` [PATCH 4.19 02/89] bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 03/89] ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 04/89] netrom: Fix use-after-free caused by accept on already connected socket Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 05/89] squashfs: harden sanity check in squashfs_read_xattr_id_table Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 06/89] ata: libata: Fix sata_down_spd_limit() when no link speed is reported Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 07/89] net: openvswitch: fix flow memory leak in ovs_flow_cmd_new Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 08/89] scsi: target: core: Fix warning on RT kernels Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 09/89] scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 10/89] i2c: rk3x: fix a bunch of kernel-doc warnings Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 11/89] net/x25: Fix to not accept on connected socket Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 12/89] iio: adc: stm32-dfsdm: fill module aliases Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 13/89] usb: dwc3: dwc3-qcom: Fix typo in the dwc3 vbus override API Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 14/89] usb: dwc3: qcom: enable vbus override when in OTG dr-mode Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 15/89] usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 16/89] vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 17/89] Input: i8042 - move __initconst to fix code styling warning Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 18/89] Input: i8042 - merge quirk tables Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 19/89] Input: i8042 - add TUXEDO devices to i8042 " Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 20/89] Input: i8042 - add Clevo PCX0DX to i8042 quirk table Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 21/89] nVMX x86: Check VMX-preemption timer controls on vmentry of L2 guests Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 22/89] KVM: VMX: Move VMX specific files to a "vmx" subdirectory Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 23/89] KVM: VMX: Move caching of MSR_IA32_XSS to hardware_setup() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 24/89] KVM: x86/vmx: Do not skip segment attributes if unusable bit is set Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 25/89] thermal: intel: int340x: Protect trip temperature from concurrent updates Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 26/89] fbcon: Check font dimension limits Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 27/89] watchdog: diag288_wdt: do not use stack buffers for hardware data Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 28/89] watchdog: diag288_wdt: fix __diag288() inline assembly Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 29/89] efi: Accept version 2 of memory attributes table Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 30/89] iio: hid: fix the retval in accel_3d_capture_sample Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 31/89] iio: adc: berlin2-adc: Add missing of_node_put() in error path Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 32/89] iio:adc:twl6030: Enable measurements of VUSB, VBAT and others Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 33/89] parisc: Fix return code of pdc_iodc_print() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 34/89] parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 35/89] riscv: disable generation of unwind tables Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 36/89] mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 37/89] mm/swapfile: add cond_resched() in get_swap_pages() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 38/89] Squashfs: fix handling and sanity checking of xattr_ids count Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 39/89] serial: 8250_dma: Fix DMA Rx completion race Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 40/89] serial: 8250_dma: Fix DMA Rx rearm race Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 41/89] thermal: intel: int340x: Add locking to int340x_thermal_get_trip_type() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 42/89] iio:adc:twl6030: Enable measurement of VAC Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 43/89] btrfs: limit device extents to the device size Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 44/89] ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 45/89] IB/hfi1: Restore allocated resources on failed copyout Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 46/89] net: phy: add macros for PHYID matching Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 47/89] net: phy: meson-gxl: add g12a support Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 48/89] net: phy: meson-gxl: use MMD access dummy stubs for GXL, internal PHY Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 49/89] rds: rds_rm_zerocopy_callback() use list_first_entry() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 50/89] selftests: forwarding: lib: quote the sysctl values Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 51/89] ALSA: pci: lx6464es: fix a debug loop Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 52/89] pinctrl: aspeed: Fix confusing types in return value Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 53/89] pinctrl: single: fix potential NULL dereference Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 54/89] pinctrl: intel: Convert unsigned to unsigned int Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 55/89] pinctrl: intel: Restore the pins that used to be in Direct IRQ mode Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 56/89] net: USB: Fix wrong-direction WARNING in plusb.c Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 57/89] usb: core: add quirk for Alcor Link AK9563 smartcard reader Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 58/89] usb: typec: altmodes/displayport: Fix probe pin assign check Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 59/89] riscv: Fixup race condition on PG_dcache_clean in flush_icache_pte Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 60/89] arm64: dts: meson-gx: Make mmc host controller interrupts level-sensitive Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 61/89] arm64: dts: meson-axg: " Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 62/89] bpf: Always return target ifindex in bpf_fib_lookup Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 63/89] migrate: hugetlb: check for hugetlb shared PMD in node migration Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 64/89] ASoC: cs42l56: fix DT probe Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 65/89] tools/virtio: fix the vringh test for virtio ring changes Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 66/89] net/rose: Fix to not accept on connected socket Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 67/89] nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 68/89] aio: fix mremap after fork null-deref Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 69/89] netfilter: nft_tproxy: restrict to prerouting hook Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 70/89] Revert "x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN" Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 71/89] mmc: sdio: fix possible resource leaks in some error paths Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 72/89] ALSA: hda/conexant: add a new hda codec SN6180 Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 73/89] ALSA: hda/realtek - fixed wrong gpio assigned Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 74/89] hugetlb: check for undefined shift on 32 bit architectures Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 75/89] revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 76/89] i40e: add double of VLAN header when computing the max MTU Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 77/89] net: bgmac: fix BCM5358 support by setting correct flags Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 78/89] dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 79/89] net/usb: kalmia: Dont pass act_len in usb_bulk_msg error path Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 80/89] net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 81/89] bnxt_en: Fix mqprio and XDP ring checking logic Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 82/89] net: stmmac: Restrict warning on disabling DMA store and fwd mode Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 83/89] net: mpls: fix stale pointer if allocation fails during device rename Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 84/89] ipv6: Fix datagram socket connection with DSCP Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 85/89] ipv6: Fix tcp " Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 86/89] i40e: Add checking for null for nlmsg_find_attr() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 87/89] kvm: initialize all of the kvm_debugregs structure before sending it to userspace Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 88/89] nilfs2: fix underflow in second superblock position calculations Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 89/89] net: phy: meson-gxl: Add generic dummy stubs for MMD register access Greg Kroah-Hartman
2023-02-20 19:06 ` [PATCH 4.19 00/89] 4.19.273-rc1 review Pavel Machek
2023-02-21 12:27 ` Naresh Kamboju
2023-02-21 14:20 ` Jon Hunter
2023-02-21 15:02 ` Sudip Mukherjee (Codethink)
2023-02-21 16:20 ` Guenter Roeck
2023-02-21 23:54 ` Shuah Khan
2023-02-22 8:51 ` zhouzhixiu
2023-02-22 14:43 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230220133553.119596508@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=o-takashi@sakamocchi.jp \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).