kpriv/linux-hardened
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
linux-hardened/drivers/misc/mei
History
John Hubbard c1a214ad82 mei: fix use-after-free in mei_cl_write 
KASAN reports a use-after-free during startup, in mei_cl_write:

    BUG: KASAN: use-after-free in mei_cl_write+0x601/0x870 [mei]
       (drivers/misc/mei/client.c:1770)

This is caused by commit 98e70866aa ("mei: add support for variable
length mei headers."), which changed the return value from len, to
buf->size. That ends up using a stale buf pointer, because blocking
call, the cb (callback) is deleted in me_cl_complete() function.

However, fortunately, len remains unchanged throughout the function
(and I don't see anything else that would require re-reading buf->size
either), so the fix is to simply revert the change, and return len, as
before.

Fixes: 98e70866aa ("mei: add support for variable length mei headers.")
CC: Arnd Bergmann <arnd@arndb.de>
CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: John Hubbard <jhubbard@nvidia.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-09-12 09:14:24 +02:00
..
bus-fixup.c mei: bus: suppress sign-compare warnings 2018-07-16 13:29:35 +02:00
bus.c mei: add optional timeout to internal bus recv 2018-07-03 13:11:20 +02:00
client.c mei: fix use-after-free in mei_cl_write 2018-09-12 09:14:24 +02:00
client.h mei: fix ssize_t to int assignment in read and write ops. 2018-07-12 16:23:19 +02:00
debugfs.c mei: restrict dma ring support to hbm version 2.1 2018-08-02 10:18:30 +02:00
hbm.c mei: ignore not found client in the enumeration 2018-09-12 09:14:24 +02:00
hbm.h mei: me: d0i3: add d0i3 enter/exit state machine 2015-08-03 17:33:55 -07:00
hw-me-regs.h mei: me: add cannon point device ids for 4th device 2018-02-20 08:58:42 +01:00
hw-me.c mei: define dma ring buffer sizes for PCH12 HW and newer 2018-08-02 10:18:30 +02:00
hw-me.h mei: define dma ring buffer sizes for PCH12 HW and newer 2018-08-02 10:18:30 +02:00
hw-txe-regs.h mei: extract fw status registers 2014-05-03 19:21:22 -04:00
hw-txe.c mei: add support for variable length mei headers. 2018-08-02 10:18:29 +02:00
hw-txe.h mei: simplify error handling via devres function. 2017-01-31 11:08:18 +01:00
hw.h mei: restrict dma ring support to hbm version 2.1 2018-08-02 10:18:30 +02:00
init.c mei: limit the number of queued writes 2018-03-14 19:33:13 +01:00
interrupt.c mei: add support for variable length mei headers. 2018-08-02 10:18:29 +02:00
Kconfig mei: wd: drop the watchdog code from the core mei driver 2016-02-06 22:11:06 -08:00
main.c mei: fix ssize_t to int assignment in read and write ops. 2018-07-12 16:23:19 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mei-trace.c tracing, mei: Remove unused trace event mei_pci_cfg_write 2017-10-20 15:17:44 +02:00
mei-trace.h tracing, mei: Remove unused trace event mei_pci_cfg_write 2017-10-20 15:17:44 +02:00
mei_dev.h mei: restrict dma ring support to hbm version 2.1 2018-08-02 10:18:30 +02:00
pci-me.c mei: me: add cannon point device ids for 4th device 2018-02-20 08:58:42 +01:00
pci-txe.c Merge branch 'pm-core' 2017-11-13 01:41:26 +01:00