NothingOSS/android_kernel_msm-6.1_nothing_sm7635
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_msm-6.1_noth.../drivers
History
Chaoyuan Peng 9615ca54bc tty: n_gsm: fix UAF in gsm_cleanup_mux 
commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239 upstream.

In gsm_cleanup_mux() the 'gsm->dlci' pointer was not cleaned properly,
leaving it a dangling pointer after gsm_dlci_release.
This leads to use-after-free where 'gsm->dlci[0]' are freed and accessed
by the subsequent gsm_cleanup_mux().

Such is the case in the following call trace:

 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description+0x63/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
 gsm_cleanup_mux+0x76a/0x850 drivers/tty/n_gsm.c:2397
 gsm_config drivers/tty/n_gsm.c:2653 [inline]
 gsmld_ioctl+0xaae/0x15b0 drivers/tty/n_gsm.c:2986
 tty_ioctl+0x8ff/0xc50 drivers/tty/tty_io.c:2816
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
 </TASK>

Allocated by task 3501:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc+0xba/0xf0 mm/kasan/common.c:513
 kasan_kmalloc include/linux/kasan.h:264 [inline]
 kmem_cache_alloc_trace+0x143/0x290 mm/slub.c:3247
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 gsm_dlci_alloc+0x53/0x3a0 drivers/tty/n_gsm.c:1932
 gsm_activate_mux+0x1c/0x330 drivers/tty/n_gsm.c:2438
 gsm_config drivers/tty/n_gsm.c:2677 [inline]
 gsmld_ioctl+0xd46/0x15b0 drivers/tty/n_gsm.c:2986
 tty_ioctl+0x8ff/0xc50 drivers/tty/tty_io.c:2816
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Freed by task 3501:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x80 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1705 [inline]
 slab_free_freelist_hook+0xdd/0x160 mm/slub.c:1731
 slab_free mm/slub.c:3499 [inline]
 kfree+0xf1/0x270 mm/slub.c:4559
 dlci_put drivers/tty/n_gsm.c:1988 [inline]
 gsm_dlci_release drivers/tty/n_gsm.c:2021 [inline]
 gsm_cleanup_mux+0x574/0x850 drivers/tty/n_gsm.c:2415
 gsm_config drivers/tty/n_gsm.c:2653 [inline]
 gsmld_ioctl+0xaae/0x15b0 drivers/tty/n_gsm.c:2986
 tty_ioctl+0x8ff/0xc50 drivers/tty/tty_io.c:2816
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Fixes: aa371e96f0 ("tty: n_gsm: fix restart handling via CLD command")
Signed-off-by: Chaoyuan Peng <hedonistsmith@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-08-03 10:24:12 +02:00
..
accessibility
acpi ACPI: video: Add backlight=native DMI quirk for Dell Studio 1569 2023-07-27 08:50:33 +02:00
amba
android binder: fix UAF of alloc->vma in race with munmap() 2023-05-30 14:03:19 +01:00
ata ata: pata_ns87415: mark ns87560_tf_read static 2023-08-03 10:24:07 +02:00
atm
auxdisplay
base regmap: Account for register length in SMBus I/O limits 2023-07-27 08:50:26 +02:00
bcma
block ublk: fail to recover device if queue setup is interrupted 2023-08-03 10:24:07 +02:00
bluetooth Bluetooth: hci_qca: fix debugfs registration 2023-06-14 11:15:28 +02:00
bus bus: ixp4xx: fix IXP4XX_EXP_T1_MASK 2023-07-23 13:49:43 +02:00
cdrom
char hwrng: imx-rngc - fix the timeout for init and self check 2023-07-23 13:49:35 +02:00
clk clk: qcom: mmcc-msm8974: fix MDSS_GDSC power flags 2023-07-19 16:21:58 +02:00
clocksource clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe 2023-07-19 16:20:59 +02:00
comedi
connector
counter counter: 104-quad-8: Fix Synapse action reported for Index signals 2023-04-13 16:55:31 +02:00
cpufreq cpufreq: mediatek: correct voltages for MT7622 and MT7623 2023-07-19 16:21:58 +02:00
cpuidle RISC-V: Align SBI probe implementation with spec 2023-05-11 23:03:04 +09:00
crypto crypto: qat - unmap buffers before free for RSA 2023-07-19 16:21:42 +02:00
cxl cxl/acpi: Return 'rc' instead of '0' in cxl_parse_cfmws() 2023-08-03 10:24:04 +02:00
dax dax/kmem: Pass valid argument to memory_group_register_static 2023-07-19 16:21:43 +02:00
dca
devfreq
dio
dma dmaengine: pl330: rename _start to prevent build error 2023-06-09 10:34:00 +02:00
dma-buf dma-buf/dma-resv: Stop leaking on krealloc() failure 2023-07-27 08:50:27 +02:00
edac EDAC/qcom: Get rid of hardcoded register offsets 2023-06-21 16:00:51 +02:00
eisa
extcon extcon: usbc-tusb320: Unregister typec port on driver removal 2023-07-19 16:22:08 +02:00
firewire
firmware firmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool() 2023-07-23 13:49:41 +02:00
fpga fpga: bridge: fix kernel-doc parameter description 2023-05-11 23:03:27 +09:00
fsi
gnss
gpio gpio: mvebu: fix irq domain leak 2023-08-03 10:23:49 +02:00
gpu drm/msm: Disallow submit with fence id 0 2023-08-03 10:24:06 +02:00
greybus
hid HID: add quirk for 03f0:464a HP Elite Presenter Mouse 2023-07-27 08:50:32 +02:00
hsi
hte hte: tegra-194: Fix off by one in tegra_hte_map_to_line_id() 2023-05-11 23:03:38 +09:00
hv Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs 2023-06-28 11:12:23 +02:00
hwmon hwmon: (pmbus/adm1275) Fix problems with temperature monitoring on ADM1272 2023-07-19 16:21:27 +02:00
hwspinlock
hwtracing hwtracing: hisi_ptt: Fix potential sleep in atomic context 2023-07-19 16:21:58 +02:00
i2c i2c: nomadik: Remove a useless call in the remove function 2023-08-03 10:23:50 +02:00
i3c i3c: master: svc: fix cpu schedule in spin lock 2023-07-19 16:21:54 +02:00
idle Revert "cpuidle, intel_idle: Fix CPUIDLE_FLAG_IRQ_ENABLE *again*" 2023-04-06 12:10:58 +02:00
iio meson saradc: fix clock divider mask length 2023-07-23 13:49:42 +02:00
infiniband RDMA/irdma: Report correct WC error 2023-08-03 10:24:06 +02:00
input Input: pm8941-powerkey - fix debounce on gen2+ PMICs 2023-07-19 16:21:26 +02:00
interconnect interconnect: qcom: rpm: drop bogus pm domain attach 2023-05-11 23:03:28 +09:00
iommu iommu/virtio: Return size mapped for a detached domain 2023-07-19 16:21:20 +02:00
ipack
irqchip irqchip/loongson-pch-pic: Fix initialization of HT vector register 2023-07-19 16:22:09 +02:00
isdn
leds leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename 2023-07-19 16:22:15 +02:00
macintosh macintosh: via-pmu-led: requires ATA to be set 2023-05-11 23:03:31 +09:00
mailbox mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 2023-07-19 16:22:03 +02:00
mcb mcb-pci: Reallocate memory region to avoid memory overlapping 2023-05-24 17:32:41 +01:00
md dm raid: protect md_stop() with 'reconfig_mutex' 2023-08-03 10:24:05 +02:00
media media: amphion: Fix firmware path to match linux-firmware 2023-08-03 10:23:57 +02:00
memory memory: brcmstb_dpfe: fix testing array offset after use 2023-07-19 16:21:24 +02:00
memstick memstick r592: make memstick_debug_get_tpc_name() static 2023-07-19 16:21:08 +02:00
message scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition 2023-05-24 17:32:37 +01:00
mfd mfd: pm8008: Fix module autoloading 2023-07-23 13:49:37 +02:00
misc misc: pci_endpoint_test: Re-init completion for every test 2023-07-23 13:49:37 +02:00
mmc mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used. 2023-07-19 16:22:09 +02:00
most
mtd mtd: rawnand: meson: fix unaligned DMA buffers handling 2023-07-23 13:49:31 +02:00
mux
net can: gs_usb: gs_can_close(): add missing set of CAN state to CAN_STATE_STOPPED 2023-08-03 10:24:09 +02:00
nfc nfcsim.c: Fix error checking for debugfs_create_dir 2023-06-28 11:12:36 +02:00
ntb NTB: ntb_tool: Add check for devm_kcalloc 2023-07-23 13:49:24 +02:00
nubus nubus: Partially revert proc_create_single_data() conversion 2023-07-05 18:27:37 +01:00
nvdimm
nvme nvme: don't reject probe due to duplicate IDs for single-ported PCIe devices 2023-07-23 13:49:43 +02:00
nvmem nvmem: rmem: Use NVMEM_DEVID_AUTO 2023-07-19 16:21:57 +02:00
of of: Preserve "of-display" device name for compatibility 2023-07-27 08:50:26 +02:00
opp opp: Fix use-after-free in lazy_opp_tables after probe deferral 2023-07-23 13:49:42 +02:00
parisc parisc: Replace regular spinlock with spin_trylock on panic path 2023-05-24 17:32:42 +01:00
parport
pci PCI: rockchip: Don't advertise MSI-X in PCIe capabilities 2023-08-03 10:23:51 +02:00
pcmcia
peci
perf perf: RISC-V: Remove PERF_HES_STOPPED flag checking in riscv_pmu_start() 2023-07-23 13:49:44 +02:00
phy phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe() 2023-08-03 10:23:59 +02:00
pinctrl pinctrl: renesas: rzg2l: Handle non-unique subnode names 2023-07-27 08:50:38 +02:00
platform platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100 2023-08-03 10:24:01 +02:00
pnp
power power: supply: Fix logic checking if system is running from battery 2023-06-21 16:00:52 +02:00
powercap powercap: RAPL: Fix CONFIG_IOSF_MBI dependency 2023-07-19 16:21:00 +02:00
pps
ps3
ptp ptp_qoriq: fix memory leak in probe() 2023-04-06 12:10:44 +02:00
pwm pwm: meson: fix handling of period/duty if greater than UINT_MAX 2023-07-23 13:49:46 +02:00
rapidio
ras
regulator regulator: tps65219: Fix matching interrupts for their regulators 2023-07-19 16:22:14 +02:00
remoteproc remoteproc: imx_dsp_rproc: Fix kernel test robot sparse warning 2023-05-24 17:32:53 +01:00
reset
rpmsg rpmsg: glink: Propagate TX failures in intentless mode as well 2023-05-11 23:03:16 +09:00
rtc rtc: st-lpc: Release some resources in st_rtc_probe() in case of error 2023-07-19 16:21:59 +02:00
s390 s390/zcrypt: do not retry administrative requests 2023-07-23 13:49:35 +02:00
sbus
scsi scsi: qla2xxx: Fix end of loop test 2023-07-23 13:49:49 +02:00
sh
siox
slimbus
soc soc: qcom: mdt_loader: Fix unconditional call to scm_pas_mem_setup 2023-07-23 13:49:34 +02:00
soundwire soundwire: qcom: update status correctly with mask 2023-08-03 10:23:57 +02:00
spi spi: dw: Remove misleading comment for Mount Evans SoC 2023-07-27 08:50:50 +02:00
spmi spmi: Add a check for remove callback when removing a SPMI driver 2023-05-11 23:03:31 +09:00
ssb
staging staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() 2023-08-03 10:24:12 +02:00
target scsi: target: iscsi: Prevent login threads from racing between each other 2023-06-28 11:12:35 +02:00
tc
tee tee: amdtee: Add return_origin to 'struct tee_cmd_load_ta' 2023-06-14 11:15:28 +02:00
thermal thermal/drivers/sun8i: Fix some error handling paths in sun8i_ths_probe() 2023-07-19 16:21:01 +02:00
thunderbolt thunderbolt: Mask ring interrupt on Intel hardware as well 2023-06-21 16:00:56 +02:00
tty tty: n_gsm: fix UAF in gsm_cleanup_mux 2023-08-03 10:24:12 +02:00
ufs scsi: ufs: ufs-mediatek: Add dependency for RESET_CONTROLLER 2023-07-23 13:49:21 +02:00
uio
usb Revert "usb: xhci: tegra: Fix error check" 2023-08-03 10:24:11 +02:00
vdpa vduse: avoid empty string for dev name 2023-06-14 11:15:32 +02:00
vfio vfio/mdev: Move the compat_class initialization to module init 2023-07-19 16:21:41 +02:00
vhost vhost_net: revert upend_idx only on retriable error 2023-06-28 11:12:40 +02:00
video fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe 2023-07-27 08:50:45 +02:00
virt virt: sevguest: Add CONFIG_CRYPTO dependency 2023-07-19 16:20:55 +02:00
virtio virtio_ring: don't update event idx on get_buf 2023-05-11 23:03:31 +09:00
vlynq
w1 w1: fix loop in w1_fini() 2023-07-19 16:21:48 +02:00
watchdog watchdog: menz069_wdt: fix watchdog initialisation 2023-06-09 10:34:07 +02:00
xen xenbus: check xen_domain in xenbus_probe_initcall 2023-08-03 10:24:05 +02:00
zorro
Kconfig
Makefile