| Message ID | 20221117034423.2935739-1-cuigaosheng1@huawei.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | hwmon: Fix possible UAF when ibmpex_register_bmc() fails | expand |
On Thu, Nov 17, 2022 at 11:44:23AM +0800, Gaosheng Cui wrote: > Smatch report warning as follows: > > drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn: > '&data->list' not removed from list > > If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will > be freed, but data->list will not be removed from driver_data.bmc_data, > then list traversal may cause UAF. > > Fix by removeing it from driver_data.bmc_data before free(). > > Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver") > Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Applied. Thanks, Guenter
diff --git a/drivers/hwmon/ibmpex.c b/drivers/hwmon/ibmpex.c index f6ec165c0fa8..1837cccd993c 100644 --- a/drivers/hwmon/ibmpex.c +++ b/drivers/hwmon/ibmpex.c @@ -502,6 +502,7 @@ static void ibmpex_register_bmc(int iface, struct device *dev) return; out_register: + list_del(&data->list); hwmon_device_unregister(data->hwmon_dev); out_user: ipmi_destroy_user(data->user);
Smatch report warning as follows: drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn: '&data->list' not removed from list If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will be freed, but data->list will not be removed from driver_data.bmc_data, then list traversal may cause UAF. Fix by removeing it from driver_data.bmc_data before free(). Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver") Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> --- drivers/hwmon/ibmpex.c | 1 + 1 file changed, 1 insertion(+)