From: Greg Kroah-Hartman Date: Mon, 6 Jun 2022 17:45:30 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.10.121~52 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=754c42d45d623a53f71d14725e2c7f358c4df308;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: thermal-core-fix-a-uaf-bug-in-__thermal_cooling_device_register.patch thermal-core-fix-memory-leak-in-the-error-path.patch --- diff --git a/queue-5.10/series b/queue-5.10/series index 4ff88a04937..777beaae7fe 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -436,3 +436,5 @@ xfs-force-log-and-push-ail-to-clear-pinned-inodes-when-aborting-mount.patch xfs-consider-shutdown-in-bmapbt-cursor-delete-assert.patch xfs-assert-in-xfs_btree_del_cursor-should-take-into-account-error.patch kseltest-cgroup-make-test_stress.sh-work-if-run-interactively.patch +thermal-core-fix-a-uaf-bug-in-__thermal_cooling_device_register.patch +thermal-core-fix-memory-leak-in-the-error-path.patch diff --git a/queue-5.10/thermal-core-fix-a-uaf-bug-in-__thermal_cooling_device_register.patch b/queue-5.10/thermal-core-fix-a-uaf-bug-in-__thermal_cooling_device_register.patch new file mode 100644 index 00000000000..903348c50c9 --- /dev/null +++ b/queue-5.10/thermal-core-fix-a-uaf-bug-in-__thermal_cooling_device_register.patch @@ -0,0 +1,90 @@ +From 0a5c26712f963f0500161a23e0ffff8d29f742ab Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Fri, 15 Oct 2021 10:45:04 +0800 +Subject: thermal/core: fix a UAF bug in __thermal_cooling_device_register() + +From: Ziyang Xuan + +commit 0a5c26712f963f0500161a23e0ffff8d29f742ab upstream. + +When device_register() return failed, program will goto out_kfree_type +to release 'cdev->device' by put_device(). That will call thermal_release() +to free 'cdev'. But the follow-up processes access 'cdev' continually. +That trggers the UAF bug. + +==================================================================== +BUG: KASAN: use-after-free in __thermal_cooling_device_register+0x75b/0xa90 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +Call Trace: + dump_stack_lvl+0xe2/0x152 + print_address_description.constprop.0+0x21/0x140 + ? __thermal_cooling_device_register+0x75b/0xa90 + kasan_report.cold+0x7f/0x11b + ? __thermal_cooling_device_register+0x75b/0xa90 + __thermal_cooling_device_register+0x75b/0xa90 + ? memset+0x20/0x40 + ? __sanitizer_cov_trace_pc+0x1d/0x50 + ? __devres_alloc_node+0x130/0x180 + devm_thermal_of_cooling_device_register+0x67/0xf0 + max6650_probe.cold+0x557/0x6aa +...... + +Freed by task 258: + kasan_save_stack+0x1b/0x40 + kasan_set_track+0x1c/0x30 + kasan_set_free_info+0x20/0x30 + __kasan_slab_free+0x109/0x140 + kfree+0x117/0x4c0 + thermal_release+0xa0/0x110 + device_release+0xa7/0x240 + kobject_put+0x1ce/0x540 + put_device+0x20/0x30 + __thermal_cooling_device_register+0x731/0xa90 + devm_thermal_of_cooling_device_register+0x67/0xf0 + max6650_probe.cold+0x557/0x6aa [max6650] + +Do not use 'cdev' again after put_device() to fix the problem like doing +in thermal_zone_device_register(). + +[dlezcano]: as requested by Rafael, change the affectation into two statements. + +Fixes: 584837618100 ("thermal/drivers/core: Use a char pointer for the cooling device name") +Signed-off-by: Ziyang Xuan +Reported-by: kernel test robot +Link: https://lore.kernel.org/r/20211015024504.947520-1-william.xuanziyang@huawei.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/thermal_core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -1092,7 +1092,7 @@ __thermal_cooling_device_register(struct + { + struct thermal_cooling_device *cdev; + struct thermal_zone_device *pos = NULL; +- int ret; ++ int id, ret; + + if (!ops || !ops->get_max_state || !ops->get_cur_state || + !ops->set_cur_state) +@@ -1106,6 +1106,7 @@ __thermal_cooling_device_register(struct + if (ret < 0) + goto out_kfree_cdev; + cdev->id = ret; ++ id = ret; + + cdev->type = kstrdup(type ? type : "", GFP_KERNEL); + if (!cdev->type) { +@@ -1147,8 +1148,9 @@ out_kfree_type: + thermal_cooling_device_destroy_sysfs(cdev); + kfree(cdev->type); + put_device(&cdev->device); ++ cdev = NULL; + out_ida_remove: +- ida_simple_remove(&thermal_cdev_ida, cdev->id); ++ ida_simple_remove(&thermal_cdev_ida, id); + out_kfree_cdev: + return ERR_PTR(ret); + } diff --git a/queue-5.10/thermal-core-fix-memory-leak-in-the-error-path.patch b/queue-5.10/thermal-core-fix-memory-leak-in-the-error-path.patch new file mode 100644 index 00000000000..fa3393cd684 --- /dev/null +++ b/queue-5.10/thermal-core-fix-memory-leak-in-the-error-path.patch @@ -0,0 +1,36 @@ +From d44616c6cc3e35eea03ecfe9040edfa2b486a059 Mon Sep 17 00:00:00 2001 +From: Daniel Lezcano +Date: Fri, 19 Mar 2021 21:22:57 +0100 +Subject: thermal/core: Fix memory leak in the error path + +From: Daniel Lezcano + +commit d44616c6cc3e35eea03ecfe9040edfa2b486a059 upstream. + +Fix the following error: + + smatch warnings: + drivers/thermal/thermal_core.c:1020 __thermal_cooling_device_register() warn: possible memory leak of 'cdev' + +by freeing the cdev when exiting the function in the error path. + +Fixes: 584837618100 ("thermal/drivers/core: Use a char pointer for the cooling device name") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210319202257.890848-1-daniel.lezcano@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/thermal_core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -1152,6 +1152,7 @@ out_kfree_type: + out_ida_remove: + ida_simple_remove(&thermal_cdev_ida, id); + out_kfree_cdev: ++ kfree(cdev); + return ERR_PTR(ret); + } +