[PATCH][for-4.14] fbdev: imsttfb: Fix use after free bug in imsttfb_probe

[PATCH][for-4.14] fbdev: imsttfb: Fix use after free bug in imsttfb_probe

[Helge Deller]

Hi Greg,

below is the manual backport of an upstream patch to fix the build failure
in kernel v4.14 in imsttfb.c.

It's not sufficient to just return from init_imstt() as the kernel then
may crash later when it tries to access the non-existent framebuffer or
cmap. Instead return failure to imsttfb_probe() so that the kernel
will skip using that hardware/driver.

Can you please apply this patch to the v4.14 stable queue?

Thanks,
Helge

-----------
From: Zheng Wang <zyytlz.wz@163.com>

This is a manual backport of upstream patch c75f5a55061091030a13fef71b9995b89bc86213
to fix a build error in imsttfb.c in kernel v4.14.

A use-after-free bug may occur if init_imstt invokes framebuffer_release
and free the info ptr. The caller, imsttfb_probe didn't notice that and
still keep the ptr as private data in pdev.

If we remove the driver which will call imsttfb_remove to make cleanup,
UAF happens.

Fix it by return error code if bad case happens in init_imstt.

Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: Helge Deller <deller@gmx.de>

diff --git a/drivers/video/fbdev/imsttfb.c b/drivers/video/fbdev/imsttfb.c
index 6589d5f0a5a4..eaaa5f1c0f6f 100644
--- a/drivers/video/fbdev/imsttfb.c
+++ b/drivers/video/fbdev/imsttfb.c
@@ -1348,7 +1348,7 @@ static struct fb_ops imsttfb_ops = {
 	.fb_ioctl 	= imsttfb_ioctl,
 };

-static void init_imstt(struct fb_info *info)
+static int init_imstt(struct fb_info *info)
 {
 	struct imstt_par *par = info->par;
 	__u32 i, tmp, *ip, *end;
@@ -1420,7 +1420,7 @@ static void init_imstt(struct fb_info *info)
 	    || !(compute_imstt_regvals(par, info->var.xres, info->var.yres))) {
 		printk("imsttfb: %ux%ux%u not supported\n", info->var.xres, info->var.yres, info->var.bits_per_pixel);
 		framebuffer_release(info);
-		return;
+		return -ENODEV;
 	}

 	sprintf(info->fix.id, "IMS TT (%s)", par->ramdac == IBM ? "IBM" : "TVP");
@@ -1460,12 +1460,13 @@ static void init_imstt(struct fb_info *info)
 	if (register_framebuffer(info) < 0) {
 		fb_dealloc_cmap(&info->cmap);
 		framebuffer_release(info);
-		return;
+		return -ENODEV;
 	}

 	tmp = (read_reg_le32(par->dc_regs, SSTATUS) & 0x0f00) >> 8;
 	fb_info(info, "%s frame buffer; %uMB vram; chip version %u\n",
 		info->fix.id, info->fix.smem_len >> 20, tmp);
+	return 0;
 }

 static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
@@ -1474,6 +1475,7 @@ static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
 	struct imstt_par *par;
 	struct fb_info *info;
 	struct device_node *dp;
+	int ret;

 	dp = pci_device_to_OF_node(pdev);
 	if(dp)
@@ -1525,10 +1527,10 @@ static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
 	par->cmap_regs_phys = addr + 0x840000;
 	par->cmap_regs = (__u8 *)ioremap(addr + 0x840000, 0x1000);
 	info->pseudo_palette = par->palette;
-	init_imstt(info);
-
-	pci_set_drvdata(pdev, info);
-	return 0;
+	ret = init_imstt(info);
+	if (!ret)
+		pci_set_drvdata(pdev, info);
+	return ret;
 }

 static void imsttfb_remove(struct pci_dev *pdev)

Re: [PATCH][for-4.14] fbdev: imsttfb: Fix use after free bug in imsttfb_probe

[Greg Kroah-Hartman]

On Thu, Jun 29, 2023 at 04:45:41PM +0200, Helge Deller wrote:
> Hi Greg,
> 
> below is the manual backport of an upstream patch to fix the build failure
> in kernel v4.14 in imsttfb.c.
> 
> It's not sufficient to just return from init_imstt() as the kernel then
> may crash later when it tries to access the non-existent framebuffer or
> cmap. Instead return failure to imsttfb_probe() so that the kernel
> will skip using that hardware/driver.
> 
> Can you please apply this patch to the v4.14 stable queue?

Now queued up, thanks!

greg k-h