From: Miquel Raynal <miquel.raynal@bootlin.com>
To: Ma Ke <make24@iscas.ac.cn>
Cc: richard@nod.at, vigneshr@ti.com, David.Woodhouse@intel.com,
jarkko.lavinen@nokia.com, linux-mtd@lists.infradead.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] mtd: Fix potential UAF for mtdswap_dev pointers
Date: Mon, 24 Feb 2025 16:36:30 +0100 [thread overview]
Message-ID: <875xkzfj7l.fsf@bootlin.com> (raw)
In-Reply-To: <20250224133007.3037357-1-make24@iscas.ac.cn> (Ma Ke's message of "Mon, 24 Feb 2025 21:30:07 +0800")
Hello Ma,
On 24/02/2025 at 21:30:07 +08, Ma Ke <make24@iscas.ac.cn> wrote:
> In the mtdswap_init(), if the allocations fail, the error handling
> path frees d->page_buf, d->eb_data, d->revmap and d->page_data without
> setting these pointers to NULL. This could lead to UAF if subsequent
> error handling or device reset operations attempt to release these
> pointers again.
>
> Set d->page_buf, d->eb_data, d->revmap and d->page_data to NULL
> immediately after freeing them to prevent misuse. Release immediately
> and set to NULL, adhering to the 'release implies invalid' defensive
> programming principle.
>
> Found by code review.
>
> Cc: stable@vger.kernel.org
> Fixes: a32159024620 ("mtd: Add mtdswap block driver")
I am sorry but are you really fixing something? There are thousand of
drivers doing nothing with their freed pointers in the error path,
because they just cannot be used anymore.
Thanks,
Miquèl
prev parent reply other threads:[~2025-02-24 15:36 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-24 13:30 [PATCH] mtd: Fix potential UAF for mtdswap_dev pointers Ma Ke
2025-02-24 15:36 ` Miquel Raynal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=875xkzfj7l.fsf@bootlin.com \
--to=miquel.raynal@bootlin.com \
--cc=David.Woodhouse@intel.com \
--cc=jarkko.lavinen@nokia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=make24@iscas.ac.cn \
--cc=richard@nod.at \
--cc=stable@vger.kernel.org \
--cc=vigneshr@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox