[PATCH 02/69] Revert "ACPI: custom_method: fix memory leaks"

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Wenwen Wang <wenwen@cs.uga.edu>, stable <stable@vger.kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [PATCH 02/69] Revert "ACPI: custom_method: fix memory leaks"
Date: Mon,  3 May 2021 13:56:29 +0200	[thread overview]
Message-ID: <20210503115736.2104747-3-gregkh@linuxfoundation.org> (raw)
In-Reply-To: <20210503115736.2104747-1-gregkh@linuxfoundation.org>

From: Kees Cook <keescook@chromium.org>

This reverts commit 03d1571d9513369c17e6848476763ebbd10ec2cb.

While /sys/kernel/debug/acpi/custom_method is already a privileged-only
API providing proxied arbitrary write access to kernel memory[1][2],
with existing race conditions[3] in buffer allocation and use that could
lead to memory leaks and use-after-free conditions, the above commit
appears to accidentally make the use-after-free conditions even easier
to accomplish. ("buf" is a global variable and prior kfree()s would set
buf back to NULL.)

This entire interface needs to be reworked (if not entirely removed).

[1] https://lore.kernel.org/lkml/20110222193250.GA23913@outflux.net/
[2] https://lore.kernel.org/lkml/201906221659.B618D83@keescook/
[3] https://lore.kernel.org/lkml/20170109231323.GA89642@beast/

Cc: Wenwen Wang <wenwen@cs.uga.edu>
Fixes: 03d1571d9513 ("ACPI: custom_method: fix memory leaks")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/acpi/custom_method.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
index 443fdf62dd22..72469a49837d 100644
--- a/drivers/acpi/custom_method.c
+++ b/drivers/acpi/custom_method.c
@@ -53,10 +53,8 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf,
 	if ((*ppos > max_size) ||
 	    (*ppos + count > max_size) ||
 	    (*ppos + count < count) ||
-	    (count > uncopied_bytes)) {
-		kfree(buf);
+	    (count > uncopied_bytes))
 		return -EINVAL;
-	}
 
 	if (copy_from_user(buf + (*ppos), user_buf, count)) {
 		kfree(buf);
@@ -76,7 +74,6 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf,
 		add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE);
 	}
 
-	kfree(buf);
 	return count;
 }
 
-- 
2.31.1

next      parent reply	other threads:[~2021-05-03 12:00 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20210503115736.2104747-1-gregkh@linuxfoundation.org>
2021-05-03 11:56 ` Greg Kroah-Hartman [this message]
2021-05-03 11:56 ` [PATCH 03/69] Revert "media: rcar_drif: fix a memory disclosure" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 04/69] Revert "hwmon: (lm80) fix a missing check of bus read in lm80 probe" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 05/69] Revert "serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 08/69] Revert "leds: lp5523: fix a missing check of return value of lp55xx_read" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 09/69] leds: lp5523: check return value of lp5xx_read and jump to cleanup code Greg Kroah-Hartman
2021-05-03 19:36   ` Jacek Anaszewski
2021-05-13 15:25     ` Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 12/69] Revert "rtlwifi: fix a potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 13/69] net: rtlwifi: properly check for alloc_workqueue() failure Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 20/69] Revert "net: stmicro: fix a missing check of clk_prepare" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 21/69] net: stmicro: handle clk_prepare() failure during init Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 22/69] Revert "niu: fix missing checks of niu_pci_eeprom_read" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 23/69] ethernet: sun: niu: fix missing checks of niu_pci_eeprom_read() Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 24/69] Revert "qlcnic: Avoid potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 25/69] qlcnic: Add null check after calling netdev_alloc_skb Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 26/69] Revert "gdrom: fix a memory leak bug" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 27/69] cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom Greg Kroah-Hartman
2021-05-03 14:13   ` Peter Rosin
2021-05-06 10:24     ` Greg Kroah-Hartman
2021-05-06 13:08       ` Peter Rosin
2021-05-06 13:43         ` Greg Kroah-Hartman
2021-05-06 14:00           ` [PATCH] cdrom: gdrom: initialize global variable at init time Greg Kroah-Hartman
2021-05-06 15:47             ` Peter Rosin
2021-05-06 14:32         ` [PATCH 27/69] cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom Atul Gopinathan
2021-05-06 15:43           ` Peter Rosin
2021-05-06 16:40             ` Atul Gopinathan
2021-05-03 11:56 ` [PATCH 30/69] Revert "scsi: ufs: fix a missing check of devm_reset_control_get" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 31/69] scsi: ufs: handle cleanup correctly on devm_reset_control_get error Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 34/69] Revert "ALSA: sb8: add a check for request_region" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 38/69] Revert "video: hgafb: fix potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 39/69] video: hgafb: fix potential NULL pointer dereference Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 44/69] Revert "rapidio: fix a NULL pointer dereference when create_workqueue() fails" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 45/69] rapidio: handle create_workqueue() failure Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 48/69] Revert "ecryptfs: replace BUG_ON with error handling code" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 66/69] Revert "video: imsttfb: fix potential NULL pointer dereferences" Greg Kroah-Hartman
2021-05-03 13:41   ` Rob Herring

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:443fdf62dd2 dfblob:72469a49837 )
 OR (
bs:"[PATCH 02/69] Revert "
bs:"ACPI: custom_method: fix memory leaks" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210503115736.2104747-3-gregkh@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=wenwen@cs.uga.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox