From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
Wenwen Wang <wenwen@cs.uga.edu>, stable <stable@vger.kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [PATCH 02/69] Revert "ACPI: custom_method: fix memory leaks"
Date: Mon, 3 May 2021 13:56:29 +0200 [thread overview]
Message-ID: <20210503115736.2104747-3-gregkh@linuxfoundation.org> (raw)
In-Reply-To: <20210503115736.2104747-1-gregkh@linuxfoundation.org>
From: Kees Cook <keescook@chromium.org>
This reverts commit 03d1571d9513369c17e6848476763ebbd10ec2cb.
While /sys/kernel/debug/acpi/custom_method is already a privileged-only
API providing proxied arbitrary write access to kernel memory[1][2],
with existing race conditions[3] in buffer allocation and use that could
lead to memory leaks and use-after-free conditions, the above commit
appears to accidentally make the use-after-free conditions even easier
to accomplish. ("buf" is a global variable and prior kfree()s would set
buf back to NULL.)
This entire interface needs to be reworked (if not entirely removed).
[1] https://lore.kernel.org/lkml/20110222193250.GA23913@outflux.net/
[2] https://lore.kernel.org/lkml/201906221659.B618D83@keescook/
[3] https://lore.kernel.org/lkml/20170109231323.GA89642@beast/
Cc: Wenwen Wang <wenwen@cs.uga.edu>
Fixes: 03d1571d9513 ("ACPI: custom_method: fix memory leaks")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/custom_method.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
index 443fdf62dd22..72469a49837d 100644
--- a/drivers/acpi/custom_method.c
+++ b/drivers/acpi/custom_method.c
@@ -53,10 +53,8 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf,
if ((*ppos > max_size) ||
(*ppos + count > max_size) ||
(*ppos + count < count) ||
- (count > uncopied_bytes)) {
- kfree(buf);
+ (count > uncopied_bytes))
return -EINVAL;
- }
if (copy_from_user(buf + (*ppos), user_buf, count)) {
kfree(buf);
@@ -76,7 +74,6 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf,
add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE);
}
- kfree(buf);
return count;
}
--
2.31.1
next prev parent reply other threads:[~2021-05-03 12:00 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-03 11:56 [PATCH 00/69] "Revert and fix properly" patch series based on umn.edu re-review Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 01/69] Revert "crypto: cavium/nitrox - add an error message to explain the failure of pci_request_mem_regions" Greg Kroah-Hartman
2021-05-03 11:56 ` Greg Kroah-Hartman [this message]
2021-05-03 11:56 ` [PATCH 03/69] Revert "media: rcar_drif: fix a memory disclosure" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 04/69] Revert "hwmon: (lm80) fix a missing check of bus read in lm80 probe" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 05/69] Revert "serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 06/69] Revert "media: usb: gspca: add a missed check for goto_low_power" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 07/69] Revert "ALSA: sb: fix a missing check of snd_ctl_add" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 08/69] Revert "leds: lp5523: fix a missing check of return value of lp55xx_read" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 09/69] leds: lp5523: check return value of lp5xx_read and jump to cleanup code Greg Kroah-Hartman
2021-05-03 19:36 ` Jacek Anaszewski
2021-05-13 15:25 ` Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 10/69] Revert "serial: max310x: pass return value of spi_register_driver" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 11/69] serial: max310x: unregister uart driver in case of failure and abort Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 12/69] Revert "rtlwifi: fix a potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 13/69] net: rtlwifi: properly check for alloc_workqueue() failure Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 14/69] Revert "net: fujitsu: fix a potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 15/69] net: fujitsu: fix potential null-ptr-deref Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 16/69] Revert "net/smc: fix a NULL pointer dereference" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 17/69] net/smc: properly handle workqueue allocation failure Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 18/69] Revert "net: caif: replace BUG_ON with recovery code" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 19/69] net: caif: remove BUG_ON(dev == NULL) in caif_xmit Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 20/69] Revert "net: stmicro: fix a missing check of clk_prepare" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 21/69] net: stmicro: handle clk_prepare() failure during init Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 22/69] Revert "niu: fix missing checks of niu_pci_eeprom_read" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 23/69] ethernet: sun: niu: fix missing checks of niu_pci_eeprom_read() Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 24/69] Revert "qlcnic: Avoid potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 25/69] qlcnic: Add null check after calling netdev_alloc_skb Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 26/69] Revert "gdrom: fix a memory leak bug" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 27/69] cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom Greg Kroah-Hartman
2021-05-03 14:13 ` Peter Rosin
2021-05-06 10:24 ` Greg Kroah-Hartman
2021-05-06 13:08 ` Peter Rosin
2021-05-06 13:43 ` Greg Kroah-Hartman
2021-05-06 14:00 ` [PATCH] cdrom: gdrom: initialize global variable at init time Greg Kroah-Hartman
2021-05-06 15:47 ` Peter Rosin
2021-05-06 14:32 ` [PATCH 27/69] cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom Atul Gopinathan
2021-05-06 15:43 ` Peter Rosin
2021-05-06 16:40 ` Atul Gopinathan
2021-05-03 11:56 ` [PATCH 28/69] Revert "char: hpet: fix a missing check of ioremap" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 29/69] char: hpet: add checks after calling ioremap Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 30/69] Revert "scsi: ufs: fix a missing check of devm_reset_control_get" Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 31/69] scsi: ufs: handle cleanup correctly on devm_reset_control_get error Greg Kroah-Hartman
2021-05-03 11:56 ` [PATCH 32/69] Revert "ALSA: gus: add a check of the status of snd_ctl_add" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 33/69] ALSA: gus: properly handle snd_ctl_add() error Greg Kroah-Hartman
2021-05-03 12:28 ` Takashi Iwai
2021-05-03 16:55 ` Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 34/69] Revert "ALSA: sb8: add a check for request_region" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 35/69] ALSA: sb8: Add a comment note regarding an unused pointer Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 36/69] Revert "ALSA: usx2y: Fix potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 37/69] ALSA: usx2y: check for failure of usb_alloc_urb() Greg Kroah-Hartman
2021-05-03 20:33 ` Jaroslav Kysela
2021-05-04 8:27 ` Takashi Iwai
2021-05-04 16:31 ` Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 38/69] Revert "video: hgafb: fix potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 39/69] video: hgafb: fix potential NULL pointer dereference Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 40/69] Revert "isdn: mISDNinfineon: fix potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 41/69] isdn: mISDNinfineon: check/cleanup ioremap failure correctly in setup_io Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 42/69] Revert "ath6kl: return error code in ath6kl_wmi_set_roam_lrssi_cmd()" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 43/69] ath6kl: return error code in ath6kl_wmi_set_roam_lrssi_cmd() Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 44/69] Revert "rapidio: fix a NULL pointer dereference when create_workqueue() fails" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 45/69] rapidio: handle create_workqueue() failure Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 46/69] Revert "isdn: mISDN: Fix potential NULL pointer dereference of kzalloc" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 47/69] isdn: mISDN: correctly handle ph_info allocation failure in hfcsusb_ph_info Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 48/69] Revert "ecryptfs: replace BUG_ON with error handling code" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 49/69] fs: ecryptfs: remove BUG_ON from crypt_scatterlist Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 50/69] Revert "dmaengine: qcom_hidma: Check for driver register failure" Greg Kroah-Hartman
2021-05-03 12:57 ` Sinan Kaya
2021-05-03 13:31 ` Vinod Koul
2021-05-03 11:57 ` [PATCH 51/69] dmaengine: qcom_hidma: comment platform_driver_register call Greg Kroah-Hartman
2021-05-03 12:57 ` Sinan Kaya
2021-05-03 13:31 ` Vinod Koul
2021-05-03 11:57 ` [PATCH 52/69] Revert "libertas: add checks for the return value of sysfs_create_group" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 53/69] libertas: register sysfs groups properly Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 54/69] Revert "ASoC: rt5645: fix a NULL pointer dereference" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 55/69] ASoC: rt5645: add error checking to rt5645_probe function Greg Kroah-Hartman
2021-05-25 21:38 ` Mark Brown
2021-05-25 22:02 ` Phillip Potter
2021-05-27 16:31 ` Mark Brown
2021-05-30 8:58 ` Phillip Potter
2021-05-03 11:57 ` [PATCH 56/69] Revert "ASoC: cs43130: fix a NULL pointer dereference" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 57/69] ASoC: cs43130: handle errors in cs43130_probe() properly Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 58/69] Revert "media: dvb: Add check on sp8870_readreg" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 59/69] media: dvb: Add check on sp8870_readreg return Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 60/69] Revert "media: gspca: mt9m111: Check write_bridge for timeout" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 61/69] media: gspca: mt9m111: Check write_bridge for timeout Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 62/69] Revert "media: gspca: Check the return value of write_bridge for timeout" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 63/69] media: gspca: properly check for errors in po1030_probe() Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 64/69] Revert "net: liquidio: fix a NULL pointer dereference" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 65/69] net: liquidio: Add missing null pointer checks Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 66/69] Revert "video: imsttfb: fix potential NULL pointer dereferences" Greg Kroah-Hartman
2021-05-03 13:41 ` Rob Herring
2021-05-03 11:57 ` [PATCH 67/69] video: imsttfb: check for ioremap() failures Greg Kroah-Hartman
2021-05-03 13:40 ` Rob Herring
2021-05-03 11:57 ` [PATCH 68/69] Revert "brcmfmac: add a check for the status of usb_register" Greg Kroah-Hartman
2021-05-03 11:57 ` [PATCH 69/69] brcmfmac: properly check for bus register errors Greg Kroah-Hartman
2021-05-13 16:59 ` [PATCH 00/69] "Revert and fix properly" patch series based on umn.edu re-review Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210503115736.2104747-3-gregkh@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=wenwen@cs.uga.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).