microsoft
/
WSL2-Linux-Kernel
зеркало из https://github.com/microsoft/WSL2-Linux-Kernel.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
WSL2-Linux-Kernel/drivers/mtd
История
Zhihao Cheng 5ff2514e4f ubi: ubi_create_volume: Fix use-after-free when volume creation failed 
[ Upstream commit 8c03a1c21d ]

There is an use-after-free problem for 'eba_tbl' in ubi_create_volume()'s
error handling path:

  ubi_eba_replace_table(vol, eba_tbl)
    vol->eba_tbl = tbl
out_mapping:
  ubi_eba_destroy_table(eba_tbl)   // Free 'eba_tbl'
out_unlock:
  put_device(&vol->dev)
    vol_release
      kfree(tbl->entries)	  // UAF

Fix it by removing redundant 'eba_tbl' releasing.
Fetch a reproducer in [Link].

Fixes: 493cfaeaa0 ("mtd: utilize new cdev_device_add helper function")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=215965
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2022-06-14 18:36:10 +02:00
..
chips mtd: cfi_cmdset_0002: Use chip_ready() for write on S29GL064N 2022-06-09 10:23:25 +02:00
devices mtd: mchp48l640: Add SPI ID table 2022-04-08 14:23:29 +02:00
hyperbus mtd: hyperbus: rpc-if: fix bug in rpcif_hb_remove 2022-01-27 11:03:15 +01:00
lpddr mtd: lpddr: fix excessive stack usage with clang 2020-08-27 14:36:07 +02:00
maps mtd: fixup CFI on ixp4xx 2022-01-20 09:13:16 +01:00
nand mtd: rawnand: intel: fix possible null-ptr-deref in ebu_nand_probe() 2022-06-09 10:22:51 +02:00
parsers mtd: parsers: qcom: Fix missing free for pparts in cleanup 2022-02-23 12:03:16 +01:00
spi-nor mtd: spi-nor: core: Check written SR value in spi_nor_write_16bit_sr_and_check() 2022-06-09 10:22:51 +02:00
tests mtd: tests: Remove redundant assignment to err 2021-05-10 12:48:35 +02:00
ubi ubi: ubi_create_volume: Fix use-after-free when volume creation failed 2022-06-14 18:36:10 +02:00
Kconfig mtdblock: Add comment about UBI block devices 2021-08-06 22:05:13 +02:00
Makefile mtd: Support kmsg dumper based on pstore/blk 2020-05-31 19:49:01 -07:00
ftl.c mtd/ftl: don't cast away the type when calling add_mtd_blktrans_dev 2021-08-23 10:01:04 +02:00
inftlcore.c mtd: inftlcore: Use module_mtd_blktrans to register driver 2021-03-11 09:37:48 +01:00
inftlmount.c mtd: inftl: remove unnecessary oom message 2021-06-11 20:44:21 +02:00
mtd_blkdevs.c MTD changes: 2021-09-05 10:50:12 -07:00
mtdblock.c mtdblock: warn if opened on NAND 2022-06-09 10:22:49 +02:00
mtdblock_ro.c mtdblock: Warn if added for a NAND device 2021-08-17 18:41:59 +02:00
mtdchar.c mtd: add OTP (one-time-programmable) erase ioctl 2021-03-28 19:24:54 +02:00
mtdconcat.c mtd: mtdconcat: Check _read, _write callbacks existence before assignment 2021-08-17 18:43:33 +02:00
mtdcore.c mtd: core: Fix a conflict between MTD and NVMEM on wp-gpios property 2022-03-02 11:48:07 +01:00
mtdcore.h mtd: Provide fs_context-aware mount_mtd() replacement 2019-09-05 14:34:23 -04:00
mtdoops.c mtd: mtdoops: remove unnecessary oom message 2021-06-11 20:43:46 +02:00
mtdpart.c mtd: Fixed breaking list in __mtd_del_partition. 2022-01-27 11:02:48 +01:00
mtdpstore.c pstore/blk: Include zone in pstore_device_info 2021-06-16 21:09:31 -07:00
mtdsuper.c block: remove i_bdev 2020-12-01 14:53:39 -07:00
mtdswap.c mtd: mtdswap: Use module_mtd_blktrans to register driver 2021-03-11 09:37:48 +01:00
nftlcore.c mtd: nftlcore: remove set but rewrite variables 2021-05-10 12:11:46 +02:00
nftlmount.c mtd: nftl: remove unnecessary oom message 2021-06-11 20:43:26 +02:00
rfd_ftl.c mtd/rfd_ftl: don't cast away the type when calling add_mtd_blktrans_dev 2021-08-23 10:01:06 +02:00
sm_ftl.c drivers: mtd: sm_ftl: Fix alignment of block comment 2021-05-10 12:49:00 +02:00
sm_ftl.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
ssfdc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00