diff options
| author | Tuo Li <islituo@gmail.com> | 2026-06-10 05:50:14 +0300 |
|---|---|---|
| committer | Helge Deller <deller@gmx.de> | 2026-06-10 18:13:58 +0300 |
| commit | 85b6256469cebdac395e7447147e06b2e151014f (patch) | |
| tree | eb8d86b2b2a1bda9296b1e8723d108d9a353a221 | |
| parent | 60786bff19772504706d1a4034d911dc5a1f2010 (diff) | |
| download | linux-85b6256469cebdac395e7447147e06b2e151014f.tar.xz | |
fbdev: modedb: fix a possible UAF in fb_find_mode()
If mode_option is NULL, it is assigned from mode_option_buf:
if (!mode_option) {
fb_get_options(NULL, &mode_option_buf);
mode_option = mode_option_buf;
}
Later, name is assigned from mode_option:
const char *name = mode_option;
However, mode_option_buf is freed before name is no longer used:
kfree(mode_option_buf);
while name is still accessed by:
if ((name_matches(db[i], name, namelen) ||
Since name aliases mode_option_buf, this may result in a
use-after-free.
Fix this by extending the lifetime of mode_option_buf until the end of the
function by using scope-based resource management for cleanup.
Signed-off-by: Tuo Li <islituo@gmail.com>
Cc: stable@vger.kernel.org # v6.5+
Signed-off-by: Helge Deller <deller@gmx.de>
| -rw-r--r-- | drivers/video/fbdev/core/modedb.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/drivers/video/fbdev/core/modedb.c b/drivers/video/fbdev/core/modedb.c index 703d0b7aec32..b6926764a99c 100644 --- a/drivers/video/fbdev/core/modedb.c +++ b/drivers/video/fbdev/core/modedb.c @@ -626,7 +626,7 @@ int fb_find_mode(struct fb_var_screeninfo *var, const struct fb_videomode *default_mode, unsigned int default_bpp) { - char *mode_option_buf = NULL; + char *mode_option_buf __free(kfree) = NULL; int i; /* Set up defaults */ @@ -724,7 +724,6 @@ int fb_find_mode(struct fb_var_screeninfo *var, res_specified = 1; } done: - kfree(mode_option_buf); if (cvt) { struct fb_videomode cvt_mode; int ret; |