This is a note to let you know that I've just added the patch titled
fbdev: imsttfb: Fix use after free bug in imsttfb_probe
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From c75f5a55061091030a13fef71b9995b89bc86213 Mon Sep 17 00:00:00 2001
From: Zheng Wang <zyytlz.wz@xxxxxxx>
Date: Thu, 27 Apr 2023 11:08:41 +0800
Subject: fbdev: imsttfb: Fix use after free bug in imsttfb_probe
From: Zheng Wang <zyytlz.wz@xxxxxxx>
commit c75f5a55061091030a13fef71b9995b89bc86213 upstream.
A use-after-free bug may occur if init_imstt invokes framebuffer_release
and free the info ptr. The caller, imsttfb_probe didn't notice that and
still keep the ptr as private data in pdev.
If we remove the driver which will call imsttfb_remove to make cleanup,
UAF happens.
Fix it by return error code if bad case happens in init_imstt.
Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
Signed-off-by: Helge Deller <deller@xxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/video/fbdev/imsttfb.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
--- a/drivers/video/fbdev/imsttfb.c
+++ b/drivers/video/fbdev/imsttfb.c
@@ -1348,7 +1348,7 @@ static struct fb_ops imsttfb_ops = {
.fb_ioctl = imsttfb_ioctl,
};
-static void init_imstt(struct fb_info *info)
+static int init_imstt(struct fb_info *info)
{
struct imstt_par *par = info->par;
__u32 i, tmp, *ip, *end;
@@ -1420,7 +1420,7 @@ static void init_imstt(struct fb_info *i
|| !(compute_imstt_regvals(par, info->var.xres, info->var.yres))) {
printk("imsttfb: %ux%ux%u not supported\n", info->var.xres, info->var.yres, info->var.bits_per_pixel);
framebuffer_release(info);
- return;
+ return -ENODEV;
}
sprintf(info->fix.id, "IMS TT (%s)", par->ramdac == IBM ? "IBM" : "TVP");
@@ -1460,12 +1460,13 @@ static void init_imstt(struct fb_info *i
if (register_framebuffer(info) < 0) {
fb_dealloc_cmap(&info->cmap);
framebuffer_release(info);
- return;
+ return -ENODEV;
}
tmp = (read_reg_le32(par->dc_regs, SSTATUS) & 0x0f00) >> 8;
fb_info(info, "%s frame buffer; %uMB vram; chip version %u\n",
info->fix.id, info->fix.smem_len >> 20, tmp);
+ return 0;
}
static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
@@ -1474,7 +1475,8 @@ static int imsttfb_probe(struct pci_dev
struct imstt_par *par;
struct fb_info *info;
struct device_node *dp;
-
+ int ret;
+
dp = pci_device_to_OF_node(pdev);
if(dp)
printk(KERN_INFO "%s: OF name %s\n",__func__, dp->name);
@@ -1525,10 +1527,10 @@ static int imsttfb_probe(struct pci_dev
par->cmap_regs_phys = addr + 0x840000;
par->cmap_regs = (__u8 *)ioremap(addr + 0x840000, 0x1000);
info->pseudo_palette = par->palette;
- init_imstt(info);
-
- pci_set_drvdata(pdev, info);
- return 0;
+ ret = init_imstt(info);
+ if (!ret)
+ pci_set_drvdata(pdev, info);
+ return ret;
}
static void imsttfb_remove(struct pci_dev *pdev)
Patches currently in stable-queue which might be from zyytlz.wz@xxxxxxx are
queue-4.14/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch
