Re: [PATCH] dpll: Add a check before kfree() to match the existing check before kmemdup()

Jiasheng Jiang <jiashengjiangcool@xxxxxxxxx> · Mon, 24 Feb 2025 11:47:04 -0500

Hi Jiri,

On Mon, Feb 24, 2025 at 7:04 AM Jiri Pirko <jiri@xxxxxxxxxxx> wrote:
>
> Mon, Feb 24, 2025 at 10:31:27AM +0100, arkadiusz.kubalewski@xxxxxxxxx wrote:
> >Hi Jiasheng, many thanks for the patch!
> >
> >>From: Jiasheng Jiang <jiashengjiangcool@xxxxxxxxx>
> >>Sent: Sunday, February 23, 2025 9:17 PM
> >>
> >>When src->freq_supported is not NULL but src->freq_supported_num is 0,
> >>dst->freq_supported is equal to src->freq_supported.
> >>In this case, if the subsequent kstrdup() fails, src->freq_supported may
> >
> >The src->freq_supported is not being freed in this function,
> >you ment dst->freq_supported?
> >But also it is not true.
> >dst->freq_supported is being freed already, this patch adds only additional
> >condition over it..
> >From kfree doc: "If @object is NULL, no operation is performed.".
> >
> >>be freed without being set to NULL, potentially leading to a
> >>use-after-free or double-free error.
> >>
> >
> >kfree does not set to NULL from what I know. How would it lead to
> >use-after-free/double-free?
> >Why the one would use the memory after the function returns -ENOMEM?
> >
> >I don't think this patch is needed or resolves anything.
>
> I'm sure it's not needed.
>

After "memcpy(dst, src, sizeof(*dst))", dst->freq_supported will point
to the same memory as src->freq_supported.
When src->freq_supported is not NULL but src->freq_supported_num is 0,
dst->freq_supported still points to the same memory as src->freq_supported.
Then, if the subsequent kstrdup() fails, dst->freq_supported is freed,
and src->freq_supported becomes a Dangling Pointer,
potentially leading to a use-after-free or double-free error.

-Jiasheng

> >
> >Thank you!
> >Arkadiusz
> >
> >>Fixes: 830ead5fb0c5 ("dpll: fix pin dump crash for rebound module")
> >>Cc: <stable@xxxxxxxxxxxxxxx> # v6.8+
> >>Signed-off-by: Jiasheng Jiang <jiashengjiangcool@xxxxxxxxx>
> >>---
> >> drivers/dpll/dpll_core.c | 3 ++-
> >> 1 file changed, 2 insertions(+), 1 deletion(-)
> >>
> >>diff --git a/drivers/dpll/dpll_core.c b/drivers/dpll/dpll_core.c
> >>index 32019dc33cca..7d147adf8455 100644
> >>--- a/drivers/dpll/dpll_core.c
> >>+++ b/drivers/dpll/dpll_core.c
> >>@@ -475,7 +475,8 @@ static int dpll_pin_prop_dup(const struct
> >>dpll_pin_properties *src,
> >> err_panel_label:
> >>      kfree(dst->board_label);
> >> err_board_label:
> >>-     kfree(dst->freq_supported);
> >>+     if (src->freq_supported_num)
> >>+             kfree(dst->freq_supported);
> >>      return -ENOMEM;
> >> }
> >>
> >>--
> >>2.25.1
> >