Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1260981imm; Wed, 22 Aug 2018 23:20:59 -0700 (PDT) X-Google-Smtp-Source: AA+uWPxD8c4J7GAkmOjNACnGHfO2Fpw17YQNaYRlMCh2kgFV9HHro2Fm4oY6DBETOqcbYXu47/KL X-Received: by 2002:a63:454d:: with SMTP id u13-v6mr12421305pgk.342.1535005259469; Wed, 22 Aug 2018 23:20:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535005259; cv=none; d=google.com; s=arc-20160816; b=E6zlZVLFnt2xX/18StXD+lDKdE44ph0XDDFoDVagyfFaCoyCn+tMK28jM1F/fuOy0Y tEL1wTi0jk//FGrX98+NbcxrDTX6t5SO9dU767ejHl5erxso/kevjOJ1hmvyPV+ClbEQ Gpj3WE4UQUQhj+AywQLS3pjS4jqXas559vrPEv9KcbIrB1RN9luvuNB4JlwunfcTGKkX NEjzt7CSbPhA5B6uHMoVa9zLxeCkNdgjQUC51tD7zbpWrEvE1nkaTMvo2LOgws4kQ7EI fQsFX+MDtYdrTOjfQWHQXe8t3ceJo+txLeuhU1W+87VsqFlb8rAI7Lhdzl0jg95R83N1 dWkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=8AhphbtblBxBoXX23xp8FrnF2IhsK3+oWbUpDTx9Lbc=; b=bBuN9TZFP1UygqboSfIbA7E3NyMdk24T1uuLzefi7W4AQ6EyKAt5xUQBeVbt/oKKhT WGqrLoqjUYhnRD/IwzEoJq99Wd73mRtruYxt2FejNyOwxi38mFJpvGDhpG9F73wotn7X GI0jyzBsHuz2WrA2AJV/NNKaJvkwMCByUtGb1BdTXDUMGdQxPRtjXkdNl4c2j5okafRH 6NblLIZRNrQjTzqp2TKITAzy5D2bTmeRzRR6isR+hhWrVDXAtYQQP/I7Byak61+jDs0Y Q01yvUrBW/qv07kZyQO6JC1AMHTWbrYmDZoVUQ7jg/y8Hhij7IIt40JyYeaGBSRiOGCp pAlQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w21-v6si3528133pgk.206.2018.08.22.23.20.43; Wed, 22 Aug 2018 23:20:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726148AbeHWJrW (ORCPT + 99 others); Thu, 23 Aug 2018 05:47:22 -0400 Received: from mga05.intel.com ([192.55.52.43]:12859 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725960AbeHWJrW (ORCPT ); Thu, 23 Aug 2018 05:47:22 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Aug 2018 23:19:18 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,277,1531810800"; d="scan'208";a="226988659" Received: from twinkler-lnx.jer.intel.com ([10.12.91.48]) by orsmga004.jf.intel.com with ESMTP; 22 Aug 2018 23:19:16 -0700 From: Tomas Winkler To: Greg Kroah-Hartman Cc: Alexander Usyskin , linux-kernel@vger.kernel.org, John Hubbard , Arnd Bergmann , Tomas Winkler Subject: [char-misc for 4.19] mei: fix use-after-free in mei_cl_write Date: Thu, 23 Aug 2018 09:16:58 +0300 Message-Id: <20180823061658.28578-1-tomas.winkler@intel.com> X-Mailer: git-send-email 2.14.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: John Hubbard KASAN reports a use-after-free during startup, in mei_cl_write: BUG: KASAN: use-after-free in mei_cl_write+0x601/0x870 [mei] (drivers/misc/mei/client.c:1770) This is caused by commit 98e70866aacb ("mei: add support for variable length mei headers."), which changed the return value from len, to buf->size. That ends up using a stale buf pointer, because blocking call, the cb (callback) is deleted in me_cl_complete() function. However, fortunately, len remains unchanged throughout the function (and I don't see anything else that would require re-reading buf->size either), so the fix is to simply revert the change, and return len, as before. Fixes: 98e70866aacb ("mei: add support for variable length mei headers.") CC: Arnd Bergmann CC: Greg Kroah-Hartman Signed-off-by: John Hubbard Signed-off-by: Tomas Winkler --- V2: 1. Add better explaination in the commit message. 2. Add Fixes: marker BTW: The usage len is changed in furhter patches that were not yet merged. drivers/misc/mei/client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mei/client.c b/drivers/misc/mei/client.c index 4ab6251d418e..ebdcf0b450e2 100644 --- a/drivers/misc/mei/client.c +++ b/drivers/misc/mei/client.c @@ -1767,7 +1767,7 @@ ssize_t mei_cl_write(struct mei_cl *cl, struct mei_cl_cb *cb) } } - rets = buf->size; + rets = len; err: cl_dbg(dev, cl, "rpm: autosuspend\n"); pm_runtime_mark_last_busy(dev->dev); -- 2.14.4