mirror of
https://github.com/torvalds/linux
synced 2024-10-18 09:18:26 +00:00
aadb22ba2f
In get_initial_state, it calls notify_initial_state_done(skb,..) if
cb->args[5]==1. If genlmsg_put() failed in notify_initial_state_done(),
the skb will be freed by nlmsg_free(skb).
Then get_initial_state will goto out and the freed skb will be used by
return value skb->len, which is a uaf bug.
What's worse, the same problem goes even further: skb can also be
freed in the notify_*_state_change -> notify_*_state calls below.
Thus 4 additional uaf bugs happened.
My patch lets the problem callee functions: notify_initial_state_done
and notify_*_state_change return an error code if errors happen.
So that the error codes could be propagated and the uaf bugs can be avoid.
v2 reports a compilation warning. This v3 fixed this warning and built
successfully in my local environment with no additional warnings.
v2: https://lore.kernel.org/patchwork/patch/1435218/
Fixes:
|
||
|---|---|---|
| .. | ||
| aoe | ||
| drbd | ||
| mtip32xx | ||
| null_blk | ||
| paride | ||
| rnbd | ||
| xen-blkback | ||
| zram | ||
| amiflop.c | ||
| ataflop.c | ||
| brd.c | ||
| floppy.c | ||
| Kconfig | ||
| loop.c | ||
| loop.h | ||
| Makefile | ||
| n64cart.c | ||
| nbd.c | ||
| pktcdvd.c | ||
| ps3disk.c | ||
| ps3vram.c | ||
| rbd.c | ||
| rbd_types.h | ||
| sunvdc.c | ||
| swim.c | ||
| swim3.c | ||
| swim_asm.S | ||
| sx8.c | ||
| virtio_blk.c | ||
| xen-blkfront.c | ||
| z2ram.c | ||