Patch "misc/libmasm/module: Fix two use after free in ibmasm_init_one" has been added to the 5.13-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 19 Jul 2021 09:17:19 -0400

This is a note to let you know that I've just added the patch titled

    misc/libmasm/module: Fix two use after free in ibmasm_init_one

to the 5.13-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     misc-libmasm-module-fix-two-use-after-free-in-ibmasm.patch
and it can be found in the queue-5.13 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 514343b929f6bb2e3bbc5be167d318c8db064329
Author: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
Date:   Mon Apr 26 10:06:20 2021 -0700

    misc/libmasm/module: Fix two use after free in ibmasm_init_one
    
    [ Upstream commit 7272b591c4cb9327c43443f67b8fbae7657dd9ae ]
    
    In ibmasm_init_one, it calls ibmasm_init_remote_input_dev().
    Inside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are
    allocated by input_allocate_device(), and assigned to
    sp->remote.mouse_dev and sp->remote.keybd_dev respectively.
    
    In the err_free_devices error branch of ibmasm_init_one,
    mouse_dev and keybd_dev are freed by input_free_device(), and return
    error. Then the execution runs into error_send_message error branch
    of ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called
    to unregister the freed sp->remote.mouse_dev and sp->remote.keybd_dev.
    
    My patch add a "error_init_remote" label to handle the error of
    ibmasm_init_remote_input_dev(), to avoid the uaf bugs.
    
    Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20210426170620.10546-1-lyl2019@xxxxxxxxxxxxxxxx
    Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/misc/ibmasm/module.c b/drivers/misc/ibmasm/module.c
index 4edad6c445d3..dc8a06c06c63 100644
--- a/drivers/misc/ibmasm/module.c
+++ b/drivers/misc/ibmasm/module.c
@@ -111,7 +111,7 @@ static int ibmasm_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
 	result = ibmasm_init_remote_input_dev(sp);
 	if (result) {
 		dev_err(sp->dev, "Failed to initialize remote queue\n");
-		goto error_send_message;
+		goto error_init_remote;
 	}
 
 	result = ibmasm_send_driver_vpd(sp);
@@ -131,8 +131,9 @@ static int ibmasm_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
 	return 0;
 
 error_send_message:
-	disable_sp_interrupts(sp->base_address);
 	ibmasm_free_remote_input_dev(sp);
+error_init_remote:
+	disable_sp_interrupts(sp->base_address);
 	free_irq(sp->irq, (void *)sp);
 error_request_irq:
 	iounmap(sp->base_address);






