All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] hwmon: Fix possible UAF when ibmpex_register_bmc() fails
@ 2022-11-17  3:44 Gaosheng Cui
  2022-11-20 13:48 ` Guenter Roeck
  0 siblings, 1 reply; 2+ messages in thread
From: Gaosheng Cui @ 2022-11-17  3:44 UTC (permalink / raw)
  To: jdelvare, linux, djwong, mhoffman, cuigaosheng1; +Cc: linux-hwmon

Smatch report warning as follows:

drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn:
  '&data->list' not removed from list

If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will
be freed, but data->list will not be removed from driver_data.bmc_data,
then list traversal may cause UAF.

Fix by removeing it from driver_data.bmc_data before free().

Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
---
 drivers/hwmon/ibmpex.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/hwmon/ibmpex.c b/drivers/hwmon/ibmpex.c
index f6ec165c0fa8..1837cccd993c 100644
--- a/drivers/hwmon/ibmpex.c
+++ b/drivers/hwmon/ibmpex.c
@@ -502,6 +502,7 @@ static void ibmpex_register_bmc(int iface, struct device *dev)
 	return;
 
 out_register:
+	list_del(&data->list);
 	hwmon_device_unregister(data->hwmon_dev);
 out_user:
 	ipmi_destroy_user(data->user);
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] hwmon: Fix possible UAF when ibmpex_register_bmc() fails
  2022-11-17  3:44 [PATCH] hwmon: Fix possible UAF when ibmpex_register_bmc() fails Gaosheng Cui
@ 2022-11-20 13:48 ` Guenter Roeck
  0 siblings, 0 replies; 2+ messages in thread
From: Guenter Roeck @ 2022-11-20 13:48 UTC (permalink / raw)
  To: Gaosheng Cui; +Cc: jdelvare, djwong, mhoffman, linux-hwmon

On Thu, Nov 17, 2022 at 11:44:23AM +0800, Gaosheng Cui wrote:
> Smatch report warning as follows:
> 
> drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn:
>   '&data->list' not removed from list
> 
> If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will
> be freed, but data->list will not be removed from driver_data.bmc_data,
> then list traversal may cause UAF.
> 
> Fix by removeing it from driver_data.bmc_data before free().
> 
> Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver")
> Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>

Applied.

Thanks,
Guenter

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-11-20 13:48 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-17  3:44 [PATCH] hwmon: Fix possible UAF when ibmpex_register_bmc() fails Gaosheng Cui
2022-11-20 13:48 ` Guenter Roeck

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.