On Mon, Apr 11, 2022 at 10:55 PM Andy Shevchenko <andy.shevchenko@xxxxxxxxx> wrote: > > On Sun, Apr 10, 2022 at 5:14 AM Dongliang Mu <dzm91@xxxxxxxxxxx> wrote: > > > > From: Dongliang Mu <mudongliangabcd@xxxxxxxxx> > > > > cdc_ncm_bind calls cdc_ncm_bind_common and sets dev->data[0] > > with ctx. However, in the unbind function - cdc_ncm_unbind, > > it calls cdc_ncm_free and frees ctx, leaving dev->data[0] as > > a dangling pointer. The following ioctl operation will trigger > > the UAF in the function cdc_ncm_set_dgram_size. > > First of all, please use the standard form of referring to the func() > as in this sentence. OK, no problem. > > > Fix this by setting dev->data[0] as zero. > > > > ================================================================== > > BUG: KASAN: use-after-free in cdc_ncm_set_dgram_size+0xc91/0xde0 > > Read of size 8 at addr ffff8880755210b0 by task dhcpcd/3174 > > > > Please, avoid SO noisy commit messages. Find the core part of the > traceback(s) which should be rarely more than 5-10 lines. Sure. I will revise them in the v2 patch. > > ... > > The code seems fine. > > -- > With Best Regards, > Andy Shevchenko
