diff options
| author | John Hubbard <jhubbard@nvidia.com> | 2018-08-23 09:16:58 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-09-12 10:14:24 +0300 |
| commit | c1a214ad82d7ac6f19fe48f90b13403b40ead9dc (patch) | |
| tree | e7ca8a8b888ac979e78ca50ce7bf1582acef3894 /drivers/misc/mei/bus.c | |
| parent | 8d2d8935d30cc2acc57a3196dc10dfa8d5cbcdab (diff) | |
| download | linux-c1a214ad82d7ac6f19fe48f90b13403b40ead9dc.tar.xz | |
mei: fix use-after-free in mei_cl_write
KASAN reports a use-after-free during startup, in mei_cl_write:
BUG: KASAN: use-after-free in mei_cl_write+0x601/0x870 [mei]
(drivers/misc/mei/client.c:1770)
This is caused by commit 98e70866aacb ("mei: add support for variable
length mei headers."), which changed the return value from len, to
buf->size. That ends up using a stale buf pointer, because blocking
call, the cb (callback) is deleted in me_cl_complete() function.
However, fortunately, len remains unchanged throughout the function
(and I don't see anything else that would require re-reading buf->size
either), so the fix is to simply revert the change, and return len, as
before.
Fixes: 98e70866aacb ("mei: add support for variable length mei headers.")
CC: Arnd Bergmann <arnd@arndb.de>
CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: John Hubbard <jhubbard@nvidia.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/misc/mei/bus.c')
0 files changed, 0 insertions, 0 deletions