2019-11-05 08:36:02

by Pan Bian

Subject: [PATCH] NFC: fdp: fix incorrect free object

The address of fw_vsc_cfg is on stack. Releasing it with devm_kfree() is
incorrect, which may result in a system crash or other security impacts.
The expected object to free is *fw_vsc_cfg.

Signed-off-by: Pan Bian <[email protected]>
---
drivers/nfc/fdp/i2c.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c
index 1cd113c8d7cb..ad0abb1f0bae 100644
--- a/drivers/nfc/fdp/i2c.c
+++ b/drivers/nfc/fdp/i2c.c
@@ -259,7 +259,7 @@ static void fdp_nci_i2c_read_device_properties(struct device *dev,
*fw_vsc_cfg, len);

if (r) {
- devm_kfree(dev, fw_vsc_cfg);
+ devm_kfree(dev, *fw_vsc_cfg);
goto vsc_read_err;
}
} else {
--
2.7.4

2019-11-06 02:35:51

by David Miller

Subject: Re: [PATCH] NFC: fdp: fix incorrect free object

From: Pan Bian <[email protected]>
Date: Tue, 5 Nov 2019 16:34:07 +0800

> The address of fw_vsc_cfg is on stack. Releasing it with devm_kfree() is
> incorrect, which may result in a system crash or other security impacts.
> The expected object to free is *fw_vsc_cfg.
>
> Signed-off-by: Pan Bian <[email protected]>

Applied and queued up for -stable, thanks.