Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp801129pxb; Tue, 12 Apr 2022 13:51:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyaaPre4sF5uUoWV6/ObUzdrE+a/D8SjVs3COhbEG1/5FbUnsUbhMZjtYRN++BCIiw0dZbU X-Received: by 2002:a17:90a:343:b0:1cb:234a:a975 with SMTP id 3-20020a17090a034300b001cb234aa975mr7013353pjf.83.1649796663074; Tue, 12 Apr 2022 13:51:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649796663; cv=none; d=google.com; s=arc-20160816; b=wghU6Qj/IpVBkZu6iCsQ3HtlBNoKl+8SBUMm7u92QZiXpCxo95em77j4MHiW/avTmh XnWfblVAU0UIsSnkKE6iS4JebE4KpqKhaH1UGV6F6J5Wx8gs9mq+9btooEZ9H1cMhUh1 1DJ5yMBoC6WPX2POQ8dInz1BK0UpCZGpcGnL/+B5/W5Ww7+uajFB0YkzZuzw7/D/TfZx d88Wvh+nKYlqHvPX/riaw4iVAu1uiT5a1+i2VTRwRGOib6aYroeOELjYAGS8aULwH+Fa eod0FNoHs0mMsoL4YLD/BN4sFmDdsJpv6xUOigEeEqwdf8+O9jRiZj+jWL3s9/AVVeb/ syqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=5zDwX/FbrOkRF0QjGNj6f8q83zazNceR19vDeBTMloA=; b=N+NjvrE/VJrP7OXpKWPPpy0ilEQq5ZGy1GONeSru0IxCFW2PeZ6vOdB5ZL7MME7Dxn tj440AerP/jgNNtdCl3R+IC+e2D+Bqpp5ytsN1NvxN1VST5O4vtGL5b/hcu7SsFW4euG iZFeFrEi5JWaLdMEWstQDWpPmd8X3kYjohwK1IxULaXoVtjYY9nD+bNC3X9O/hvigZBN WyX3Lr3yldsf04ip8SN5dllrbRNxF8c8ZHJm9dPkl6UrTIURaP24x/fX1u2Znak26T52 GVkXvYGVSE4RDh/MFeVXdf7aQaeH3Tr9B/a5AjQfZYLk2NjjAn0l0e/s2fHqJshEUlLh davw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sakamocchi.jp header.s=fm1 header.b=bD8J+yA2; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=OE7mjufO; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id w20-20020a634914000000b0039ce71357bcsi3771004pga.45.2022.04.12.13.51.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Apr 2022 13:51:03 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@sakamocchi.jp header.s=fm1 header.b=bD8J+yA2; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=OE7mjufO; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 0C579C6ED0; Tue, 12 Apr 2022 13:18:50 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239851AbiDIEPJ (ORCPT + 99 others); Sat, 9 Apr 2022 00:15:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41998 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231187AbiDIEPC (ORCPT ); Sat, 9 Apr 2022 00:15:02 -0400 Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 21C5692332; Fri, 8 Apr 2022 21:12:52 -0700 (PDT) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 71E765C0182; Sat, 9 Apr 2022 00:12:51 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Sat, 09 Apr 2022 00:12:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakamocchi.jp; h=cc:cc:content-transfer-encoding:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; bh=5zDwX/FbrOkRF0 QjGNj6f8q83zazNceR19vDeBTMloA=; b=bD8J+yA2MnFyFascHFQBhJq72a4Ttb ++tMUV4n4/zWS5PQflzU2vCJKwKGkhrfJ66UZRY/wJdkhL7a7tglOdQFZx4tsTUC FI45oQNrnPCV+Pa3cl+sHhsoMiyb37jfs1b2pGAohaj2OcqFf/nbDBFu58TyvvQS oIQGF1e11Ar6SyXG+aRV79V/HZ2p2UHLCi9N4naWfGoOSRjFlr09pkDG5ELL71bP yk4nYAIBr26r2obTzLzUjMfjnsFRxi7DTtiB6b6710gy5R0JbZL1sk6fYUw1afmV W0LSPiOW73qSBzSBYcDQAeRP45J68+B/JTY0aZgjCcNK/lqkzvMAXb8w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=5zDwX/ FbrOkRF0QjGNj6f8q83zazNceR19vDeBTMloA=; b=OE7mjufOKEVscu+dEgNdo8 2WVCKnKAXRL1RJq7wDGLCGmjqlF0OrV9m5mQ6O6ECkTf5G5D6qvnwqR2Az8sM3xt tMLp3utiLopMWwpA8O9m5whrabomlG64K1PbZlTNK4uOP9ppOrWsXcKCI8PJCZ8Q 9RxBfa7dHuHnucuz3UGZ0r6XL9O0MomyAt1KHtHeiZE9Ri9ARuE8h9dsi/sumkco 1GXAeTDP78ON+bJqz5w14Qp+fwsknAEIMI3BTVdoTVOgZvDrnJy37zEHx4yjcBxC jj6dngzYCTuHenp0SNcyvidG5Pp28qTSQkZrWlv8sIHrodLbIb4Mm2P8KBAy1tHg == X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrudekuddgjeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofgjfhgggfestdekre dtredttdenucfhrhhomhepvfgrkhgrshhhihcuufgrkhgrmhhothhouceoohdqthgrkhgr shhhihesshgrkhgrmhhotggthhhirdhjpheqnecuggftrfgrthhtvghrnhepveefffefke etgfevgeefleehfffhueejtdejveethfekveektdejjedvtdejhfejnecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepohdqthgrkhgrshhhihessh grkhgrmhhotggthhhirdhjph X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 9 Apr 2022 00:12:49 -0400 (EDT) From: Takashi Sakamoto To: tiwai@suse.de Cc: linux1394-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org, alsa-devel@alsa-project.org, Chengfeng Ye , stable@vger.kernel.org Subject: [PATCH 1/3] firewire: fix potential uaf in outbound_phy_packet_callback() Date: Sat, 9 Apr 2022 13:12:41 +0900 Message-Id: <20220409041243.603210-2-o-takashi@sakamocchi.jp> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220409041243.603210-1-o-takashi@sakamocchi.jp> References: <20220409041243.603210-1-o-takashi@sakamocchi.jp> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Chengfeng Ye &e->event and e point to the same address, and &e->event could be freed in queue_event. So there is a potential uaf issue if we dereference e after calling queue_event(). Fix this by adding a temporary variable to maintain e->client in advance, this can avoid the potential uaf issue. Cc: Signed-off-by: Chengfeng Ye Signed-off-by: Takashi Sakamoto --- drivers/firewire/core-cdev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c index 9f89c17730b1..708e417200f4 100644 --- a/drivers/firewire/core-cdev.c +++ b/drivers/firewire/core-cdev.c @@ -1500,6 +1500,7 @@ static void outbound_phy_packet_callback(struct fw_packet *packet, { struct outbound_phy_packet_event *e = container_of(packet, struct outbound_phy_packet_event, p); + struct client *e_client; switch (status) { /* expected: */ @@ -1516,9 +1517,10 @@ static void outbound_phy_packet_callback(struct fw_packet *packet, } e->phy_packet.data[0] = packet->timestamp; + e_client = e->client; queue_event(e->client, &e->event, &e->phy_packet, sizeof(e->phy_packet) + e->phy_packet.length, NULL, 0); - client_put(e->client); + client_put(e_client); } static int ioctl_send_phy_packet(struct client *client, union ioctl_arg *arg) -- 2.34.1