Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp538907rwa; Sat, 20 Aug 2022 08:33:01 -0700 (PDT) X-Google-Smtp-Source: AA6agR6PJLRu5UHtml2N8JNCrDFP6ijKfpF37PnqdbZT1dDhGuE1vASADRDhHtYfYBYb8UteX8+/ X-Received: by 2002:a17:907:1c0d:b0:73d:60fc:658f with SMTP id nc13-20020a1709071c0d00b0073d60fc658fmr2817367ejc.597.1661009580884; Sat, 20 Aug 2022 08:33:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661009580; cv=none; d=google.com; s=arc-20160816; b=MF7XRDLl+pQGk0taChJgvzeb4v2j+Y9gXtnbRnef+i5SWKmQdySZimB03y3iEjfy4v FXCujfsGDyrq6fEIE/iqfDIEj9mHf1SpPNIf7HFQjyzyjwXCSxeR33uZdf4Uy1+v/+Eu DwbgC1v1xOG3naXflffYM1qjLE3tYYsqKFE8p5s4eEVgNdVNAtrixb5vBOVCQo3OCXQR jr23hWixM3679dRsdZaFFPTpXDkQPKM3XRCGDfgVXVJN43B1Um9Cr6SiRWcRHTxU3GxG LOigeu3o//yL4ofpWDsQg2CMpSMHwRzNtZqOmxDawKNlvgETIblHJjCEpxpIBYWBRCGz IjVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id; bh=QWESNoGYDr1zb6JD5oldS8hazgzZ33Qy3QZvanp4fi0=; b=DLox8y3YU39dQ30GncK504dd+IgIPz6HYH/DDAh7zdsn9S6xG/KXYBJxWnGOPAvZUV O5fgTEx210YqT3dbSYXrzf3bX+JYgghkTkFXqVvAtP0Xsng4vqlbP7G9adUyHIpQjVWk fbwQkO4b8YtlasggUK2UVK+URvVaVQlMpE9MmWV4ruw62DZHlMu/OLxIQqZsYFD1tLRw 49Na3UN1zOQ+xGd6fZB3yoGnaH5ttbgqTHO5YoXpQADZ1Vj1z3FIcZyhAX+vZ1kYlFe2 /0H067IkAEalXij3naCT+8aXDQwPlYANvWgSALXZ2KT3+h1b1YA0dOfhQ3j2fyHzp41y OP7g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qa33-20020a17090786a100b007269ef1872esi5957222ejc.897.2022.08.20.08.32.35; Sat, 20 Aug 2022 08:33:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346081AbiHTPFs convert rfc822-to-8bit (ORCPT + 99 others); Sat, 20 Aug 2022 11:05:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42942 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231621AbiHTPFq (ORCPT ); Sat, 20 Aug 2022 11:05:46 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AD929B1F0 for ; Sat, 20 Aug 2022 08:05:43 -0700 (PDT) Received: from [192.168.0.105] (unknown [136.169.224.60]) by mail.ispras.ru (Postfix) with ESMTPSA id 90E0540737B7; Sat, 20 Aug 2022 15:05:36 +0000 (UTC) Message-ID: <7d4dd8009a777a7d32f4872dc0285878dbbb91b8.camel@ispras.ru> Subject: Re: [PATCH] platform/chrome: fix double-free in chromeos_laptop_prepare() From: Rustam Subkhankulov To: Tzung-Bi Shih Cc: Benson Leung , Dmitry Torokhov , chrome-platform@lists.linux.dev, linux-kernel@vger.kernel.org, Alexey Khoroshilov , ldv-project@linuxtesting.org Date: Sat, 20 Aug 2022 20:05:13 +0300 In-Reply-To: References: <20220813220843.2373004-1-subkhankulov@ispras.ru> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT User-Agent: Evolution 3.44.1-0ubuntu1 MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2022-08-15 at 05:00 +0000, Tzung-Bi Shih wrote: > Alternatively, I would prefer to fix the double-free by setting > `i2c_peripherals` to NULL after [1]. Since 'cros_laptop->num_i2c_peripherals' is assigned with nonzero value (otherwise the code on 'err_out' is not executed), setting 'i2c_peripherals' to NULL after [1] will cause dereferencing of NULL pointer in chromeos_laptop_destroy() at [2]. [1]: https://elixir.bootlin.com/linux/v5.19/source/drivers/platform/chrome/chromeos_laptop.c#L787 [2]: https://elixir.bootlin.com/linux/v5.19/source/drivers/platform/chrome/chromeos_laptop.c#L860 > After a quick glance, I found an invalid memory access at [2] if > `i2c_peripherals` is NULL (see [3]).  After applying the patch, there will be no invalid memory access at [2] if 'i2c_peripherals' is NULL, because in this situation 'cros_laptop->num_i2c_peripherals' is zero and there is no single iteration of the loop. > Or was the double-free issue > discovered by > some static analysis? Yes, it was discovered by SVACE static analysis tool.