Re: [PATCH] dpll: Add a check before kfree() to match the existing check before kmemdup()

Jiri Pirko <jiri@xxxxxxxxxxx> · Tue, 25 Feb 2025 13:08:24 +0100

Mon, Feb 24, 2025 at 05:47:04PM +0100, jiashengjiangcool@xxxxxxxxx wrote:
>Hi Jiri,
>
>On Mon, Feb 24, 2025 at 7:04 AM Jiri Pirko <jiri@xxxxxxxxxxx> wrote:
>>
>> Mon, Feb 24, 2025 at 10:31:27AM +0100, arkadiusz.kubalewski@xxxxxxxxx wrote:
>> >Hi Jiasheng, many thanks for the patch!
>> >
>> >>From: Jiasheng Jiang <jiashengjiangcool@xxxxxxxxx>
>> >>Sent: Sunday, February 23, 2025 9:17 PM
>> >>
>> >>When src->freq_supported is not NULL but src->freq_supported_num is 0,
>> >>dst->freq_supported is equal to src->freq_supported.
>> >>In this case, if the subsequent kstrdup() fails, src->freq_supported may
>> >
>> >The src->freq_supported is not being freed in this function,
>> >you ment dst->freq_supported?
>> >But also it is not true.
>> >dst->freq_supported is being freed already, this patch adds only additional
>> >condition over it..
>> >From kfree doc: "If @object is NULL, no operation is performed.".
>> >
>> >>be freed without being set to NULL, potentially leading to a
>> >>use-after-free or double-free error.
>> >>
>> >
>> >kfree does not set to NULL from what I know. How would it lead to
>> >use-after-free/double-free?
>> >Why the one would use the memory after the function returns -ENOMEM?
>> >
>> >I don't think this patch is needed or resolves anything.
>>
>> I'm sure it's not needed.
>>
>
>After "memcpy(dst, src, sizeof(*dst))", dst->freq_supported will point
>to the same memory as src->freq_supported.
>When src->freq_supported is not NULL but src->freq_supported_num is 0,
>dst->freq_supported still points to the same memory as src->freq_supported.
>Then, if the subsequent kstrdup() fails, dst->freq_supported is freed,
>and src->freq_supported becomes a Dangling Pointer,
>potentially leading to a use-after-free or double-free error.

Okay. This condition should not happen, driver is broken in that case.
Better add an assertion for it.

>
>-Jiasheng
>
>> >
>> >Thank you!
>> >Arkadiusz
>> >
>> >>Fixes: 830ead5fb0c5 ("dpll: fix pin dump crash for rebound module")
>> >>Cc: <stable@xxxxxxxxxxxxxxx> # v6.8+
>> >>Signed-off-by: Jiasheng Jiang <jiashengjiangcool@xxxxxxxxx>
>> >>---
>> >> drivers/dpll/dpll_core.c | 3 ++-
>> >> 1 file changed, 2 insertions(+), 1 deletion(-)
>> >>
>> >>diff --git a/drivers/dpll/dpll_core.c b/drivers/dpll/dpll_core.c
>> >>index 32019dc33cca..7d147adf8455 100644
>> >>--- a/drivers/dpll/dpll_core.c
>> >>+++ b/drivers/dpll/dpll_core.c
>> >>@@ -475,7 +475,8 @@ static int dpll_pin_prop_dup(const struct
>> >>dpll_pin_properties *src,
>> >> err_panel_label:
>> >>      kfree(dst->board_label);
>> >> err_board_label:
>> >>-     kfree(dst->freq_supported);
>> >>+     if (src->freq_supported_num)
>> >>+             kfree(dst->freq_supported);
>> >>      return -ENOMEM;
>> >> }
>> >>
>> >>--
>> >>2.25.1
>> >