mirror of
https://github.com/torvalds/linux
synced 2024-10-18 09:18:26 +00:00
aadb22ba2f
In get_initial_state, it calls notify_initial_state_done(skb,..) if
cb->args[5]==1. If genlmsg_put() failed in notify_initial_state_done(),
the skb will be freed by nlmsg_free(skb).
Then get_initial_state will goto out and the freed skb will be used by
return value skb->len, which is a uaf bug.
What's worse, the same problem goes even further: skb can also be
freed in the notify_*_state_change -> notify_*_state calls below.
Thus 4 additional uaf bugs happened.
My patch lets the problem callee functions: notify_initial_state_done
and notify_*_state_change return an error code if errors happen.
So that the error codes could be propagated and the uaf bugs can be avoid.
v2 reports a compilation warning. This v3 fixed this warning and built
successfully in my local environment with no additional warnings.
v2: https://lore.kernel.org/patchwork/patch/1435218/
Fixes:
|
||
---|---|---|
.. | ||
aoe | ||
drbd | ||
mtip32xx | ||
null_blk | ||
paride | ||
rnbd | ||
xen-blkback | ||
zram | ||
amiflop.c | ||
ataflop.c | ||
brd.c | ||
floppy.c | ||
Kconfig | ||
loop.c | ||
loop.h | ||
Makefile | ||
n64cart.c | ||
nbd.c | ||
pktcdvd.c | ||
ps3disk.c | ||
ps3vram.c | ||
rbd.c | ||
rbd_types.h | ||
sunvdc.c | ||
swim.c | ||
swim3.c | ||
swim_asm.S | ||
sx8.c | ||
virtio_blk.c | ||
xen-blkfront.c | ||
z2ram.c |