Linux v5.2.11

author: Justin M. Forbes <jforbes@fedoraproject.org> 2019-08-29 07:11:04 -0500
committer: Justin M. Forbes <jforbes@fedoraproject.org> 2019-08-29 07:11:04 -0500
commit: 206ff7fd1400a2c1764aeac4895dbce5d382077a (patch)
tree: 65cbf3a35720974f914be07934500052f5342b07 /fix-a-double-free-bug-in-rsi_91x_deinit.patch
parent: 7a3465ebc10f7822d4724b6ada7f3415968b515b (diff)
download: kernel-206ff7fd1400a2c1764aeac4895dbce5d382077a.tar.gz
kernel-206ff7fd1400a2c1764aeac4895dbce5d382077a.tar.xz
kernel-206ff7fd1400a2c1764aeac4895dbce5d382077a.zip
1 files changed, 121 insertions, 0 deletions
diff --git a/fix-a-double-free-bug-in-rsi_91x_deinit.patch b/fix-a-double-free-bug-in-rsi_91x_deinit.patch
new file mode 100644
index 000000000..331817bda
--- /dev/null
+++ b/fix-a-double-free-bug-in-rsi_91x_deinit.patch
@@ -0,0 +1,121 @@
+From mboxrd@z Thu Jan  1 00:00:00 1970
+Return-Path: <SRS0=+RQC=WP=vger.kernel.org=linux-kernel-owner@kernel.org>
+X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
+	aws-us-west-2-korg-lkml-1.web.codeaurora.org
+X-Spam-Level: 
+X-Spam-Status: No, score=-9.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
+	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
+	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
+	SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no
+	version=3.4.0
+Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
+	by smtp.lore.kernel.org (Postfix) with ESMTP id EBD3AC3A5A0
+	for <linux-kernel@archiver.kernel.org>; Mon, 19 Aug 2019 22:02:45 +0000 (UTC)
+Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
+	by mail.kernel.org (Postfix) with ESMTP id BCC05214DA
+	for <linux-kernel@archiver.kernel.org>; Mon, 19 Aug 2019 22:02:45 +0000 (UTC)
+Authentication-Results: mail.kernel.org;
+	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IRgzkkQ0"
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+        id S1728637AbfHSWCp (ORCPT
+        <rfc822;linux-kernel@archiver.kernel.org>);
+        Mon, 19 Aug 2019 18:02:45 -0400
+Received: from mail-io1-f67.google.com ([209.85.166.67]:33900 "EHLO
+        mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+        with ESMTP id S1728494AbfHSWCo (ORCPT
+        <rfc822;linux-kernel@vger.kernel.org>);
+        Mon, 19 Aug 2019 18:02:44 -0400
+Received: by mail-io1-f67.google.com with SMTP id s21so7791675ioa.1;
+        Mon, 19 Aug 2019 15:02:44 -0700 (PDT)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=gmail.com; s=20161025;
+        h=from:to:cc:subject:date:message-id:mime-version
+         :content-transfer-encoding;
+        bh=nkPsYIq5p1Usn95zadxgW7erLbA98guz1UFddB9orFo=;
+        b=IRgzkkQ0QlYiIqgU9DslAGaSx9oz5wU5adcfTZWc60ibm3DHynGVVixJrWxAut0Pae
+         ARzqaY1/pxrAMSpTdcKfCBtRoFPMFS8+WZsScW495O7Pf7bJTCDAo3OOueleEgGs9Osv
+         59921BouToXc5Ovc92CQFjNHP3+/kGBqZvxV+QK34IvNWzoIEU93UHsUIxSn6eVvrsFU
+         g5treQ50nJkKHPa8rwc0Oh9s6WWKODy8zKxExTJhdznLdHOm5T7muHcEccqX8YZQ5L7d
+         ADPOmA+sRvWN3t/z9HxtD4g/Lgj4kzEYFnWJ9k7ClZwbnzn02QUlkT8waxriC/Wpe9nP
+         q53A==
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=1e100.net; s=20161025;
+        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
+         :content-transfer-encoding;
+        bh=nkPsYIq5p1Usn95zadxgW7erLbA98guz1UFddB9orFo=;
+        b=oYozfHj6p7SMaYdxmSXvkqz3omwdyg+ftHjVBaHiAqBlnLj6x9531et8jUk50jueoT
+         y2cU/oVuoVQsCwOEu43hu26qlol2JSmB1xXJj0Za8nKZa3h3GF5CKG8/dexHz8TzCJX1
+         vo/TNPdY3AlW7Sn9JLnWCqFK+QgbPhjdBs+6Hbh+5nkCxIG5dVn0FfYbLYATeh/888YB
+         pTCJ8dkbLQiWXEJam6b9NoOpcIzbpcb7rL3A355C/1AGZsCy/NlKmneuw0Va10AnswkK
+         KBYv+EisB1L8oCP9l6r5fp4PUqyMH3TjrBdJddx8EQ9cq8SORiLtmmRuF8e3kdImDEK4
+         6Gcw==
+X-Gm-Message-State: APjAAAXB6U8H/6BuBUmOb6K7bk/qaEOOS1bw9RIpAgXyrExtL8rl/B99
+        17LNTRGgJKvcUB6qlr4ZRbY=
+X-Google-Smtp-Source: APXvYqzjT1oN5/e8keSQCjVxoTzLRGG1vuf4kTYM+hq51sy7QzOV0GLDOYYsYVB78xsRtsZrFijh0Q==
+X-Received: by 2002:a6b:f30b:: with SMTP id m11mr21952710ioh.214.1566252163559;
+        Mon, 19 Aug 2019 15:02:43 -0700 (PDT)
+Received: from peng.science.purdue.edu (cos-128-210-107-27.science.purdue.edu. [128.210.107.27])
+        by smtp.googlemail.com with ESMTPSA id z9sm2850133ior.79.2019.08.19.15.02.42
+        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
+        Mon, 19 Aug 2019 15:02:43 -0700 (PDT)
+From:   Hui Peng <benquike@gmail.com>
+To:     security@kernel.org
+Cc:     Hui Peng <benquike@gmail.com>,
+        Mathias Payer <mathias.payer@nebelwelt.net>,
+        Kalle Valo <kvalo@codeaurora.org>,
+        "David S. Miller" <davem@davemloft.net>,
+        linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
+        linux-kernel@vger.kernel.org
+Subject: [PATCH] Fix a double free bug in rsi_91x_deinit
+Date:   Mon, 19 Aug 2019 18:02:29 -0400
+Message-Id: <20190819220230.10597-1-benquike@gmail.com>
+X-Mailer: git-send-email 2.22.1
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+Sender: linux-kernel-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <linux-kernel.vger.kernel.org>
+X-Mailing-List: linux-kernel@vger.kernel.org
+Archived-At: <https://lore.kernel.org/lkml/20190819220230.10597-1-benquike@gmail.com/>
+List-Archive: <https://lore.kernel.org/lkml/>
+List-Post: <mailto:linux-kernel@vger.kernel.org>
+
+`dev` (struct rsi_91x_usbdev *) field of adapter
+(struct rsi_91x_usbdev *) is allocated  and initialized in
+`rsi_init_usb_interface`. If any error is detected in information
+read from the device side,  `rsi_init_usb_interface` will be
+freed. However, in the higher level error handling code in
+`rsi_probe`, if error is detected, `rsi_91x_deinit` is called
+again, in which `dev` will be freed again, resulting double free.
+
+This patch fixes the double free by removing the free operation on
+`dev` in `rsi_init_usb_interface`, because `rsi_91x_deinit` is also
+used in `rsi_disconnect`, in that code path, the `dev` field is not
+ (and thus needs to be) freed.
+
+This bug was found in v4.19, but is also present in the latest version
+of kernel.
+
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+---
+ drivers/net/wireless/rsi/rsi_91x_usb.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c
+index c0a163e40402..ac917227f708 100644
+--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
+@@ -640,7 +640,6 @@ static int rsi_init_usb_interface(struct rsi_hw *adapter,
+ 	kfree(rsi_dev->tx_buffer);
+ 
+ fail_eps:
+-	kfree(rsi_dev);
+ 
+ 	return status;
+ }
+-- 
+2.22.1
+
+
author	Justin M. Forbes <jforbes@fedoraproject.org>	2019-08-29 07:11:04 -0500
committer	Justin M. Forbes <jforbes@fedoraproject.org>	2019-08-29 07:11:04 -0500
commit	206ff7fd1400a2c1764aeac4895dbce5d382077a (patch)
tree	65cbf3a35720974f914be07934500052f5342b07 /fix-a-double-free-bug-in-rsi_91x_deinit.patch
parent	7a3465ebc10f7822d4724b6ada7f3415968b515b (diff)
download	kernel-206ff7fd1400a2c1764aeac4895dbce5d382077a.tar.gz kernel-206ff7fd1400a2c1764aeac4895dbce5d382077a.tar.xz kernel-206ff7fd1400a2c1764aeac4895dbce5d382077a.zip