[PATCH openEuler-22.03-LTS-SP1 0/2] CVE-2022-48703 - Kernel - mailweb.openeuler.org

newer
[OLK-6.6] RDMA/hns: Fix some mutex...

[PATCH openEuler-22.03-LTS-SP1 0/2] CVE-2022-48703

older
[PATCH OLK-5.10 0/2] CVE-2022-48703

Pu Lehui

25 Jun 2024 25 Jun '24

3:04 p.m.

Lee, Chun-Yi (1): thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR Rafael J. Wysocki (1): thermal: int340x_thermal: Consolidate priv->data_vault checks drivers/thermal/intel/int340x_thermal/int3400_thermal.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) -- 2.34.1

Reply

Sign in to reply online Use email software

Show replies by date

Pu Lehui

25 Jun 25 Jun

3:04 p.m.

New subject: [PATCH openEuler-22.03-LTS-SP1 1/2] thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR

From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com> mainline inclusion from mainline-v6.0-rc3 commit 7931e28098a4c1a2a6802510b0cbe57546d2049d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9LKDZ CVE: CVE-2022-48703 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- In some case, the GDDV returns a package with a buffer which has zero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10). Then the data_vault_read() got NULL point dereference problem when accessing the 0x10 value in data_vault. [ 71.024560] BUG: kernel NULL pointer dereference, address: 0000000000000010 This patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or NULL value in data_vault. Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Conflicts: drivers/thermal/intel/int340x_thermal/int3400_thermal.c [The conflicts were caused by not merged 9e5d3d6be664 ("thermal: int340x: Consolidate freeing of acpi_buffer pointer")] Signed-off-by: Pu Lehui <pulehui@huawei.com> --- drivers/thermal/intel/int340x_thermal/int3400_thermal.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c index 28913867cd4b..a064a4eb31fb 100644 --- a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c +++ b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c @@ -466,7 +466,7 @@ static void int3400_setup_gddv(struct int3400_thermal_priv *priv) priv->data_vault = kmemdup(obj->package.elements[0].buffer.pointer, obj->package.elements[0].buffer.length, GFP_KERNEL); - if (!priv->data_vault) { + if (ZERO_OR_NULL_PTR(priv->data_vault)) { kfree(buffer.pointer); return; } @@ -531,7 +531,7 @@ static int int3400_thermal_probe(struct platform_device *pdev) if (result) goto free_rel_misc; - if (priv->data_vault) { + if (!ZERO_OR_NULL_PTR(priv->data_vault)) { result = sysfs_create_group(&pdev->dev.kobj, &data_attribute_group); if (result) @@ -549,7 +549,8 @@ static int int3400_thermal_probe(struct platform_device *pdev) free_sysfs: cleanup_odvp(priv); if (priv->data_vault) { - sysfs_remove_group(&pdev->dev.kobj, &data_attribute_group); + if (!ZERO_OR_NULL_PTR(priv->data_vault)) + sysfs_remove_group(&pdev->dev.kobj, &data_attribute_group); kfree(priv->data_vault); } free_uuid: @@ -579,7 +580,7 @@ static int int3400_thermal_remove(struct platform_device *pdev) if (!priv->rel_misc_dev_res) acpi_thermal_rel_misc_device_remove(priv->adev->handle); - if (priv->data_vault) + if (!ZERO_OR_NULL_PTR(priv->data_vault)) sysfs_remove_group(&pdev->dev.kobj, &data_attribute_group); sysfs_remove_group(&pdev->dev.kobj, &uuid_attribute_group); thermal_zone_device_unregister(priv->thermal); -- 2.34.1

Reply

Sign in to reply online Use email software

Pu Lehui

3:04 p.m.

New subject: [PATCH openEuler-22.03-LTS-SP1 2/2] thermal: int340x_thermal: Consolidate priv->data_vault checks

From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com> mainline inclusion from mainline-v6.1-rc1 commit e9a7c526c29b0ae60c888b335bd6cf6e2ee80154 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9LKDZ CVE: CVE-2022-48703 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- It is sufficient to check priv->data_vault once in the error code path of int3400_thermal_probe(), so do that. Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: Pu Lehui <pulehui@huawei.com> --- drivers/thermal/intel/int340x_thermal/int3400_thermal.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c index a064a4eb31fb..588d8fb12490 100644 --- a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c +++ b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c @@ -548,9 +548,8 @@ static int int3400_thermal_probe(struct platform_device *pdev) free_sysfs: cleanup_odvp(priv); - if (priv->data_vault) { - if (!ZERO_OR_NULL_PTR(priv->data_vault)) - sysfs_remove_group(&pdev->dev.kobj, &data_attribute_group); + if (!ZERO_OR_NULL_PTR(priv->data_vault)) { + sysfs_remove_group(&pdev->dev.kobj, &data_attribute_group); kfree(priv->data_vault); } free_uuid: -- 2.34.1

Reply

Sign in to reply online Use email software

patchwork bot

3:05 p.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://gitee.com/openeuler/kernel/pulls/9431 邮件列表地址：https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/I... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/9431 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/I...

Reply

Sign in to reply online Use email software

245

Age (days ago)

245

Last active (days ago)

3 comments

2 participants

tags

participants (2)

patchwork bot
Pu Lehui