[PATCH openEuler-1.0-LTS 0/2] fix CVE-2022-50384 and CVE-2022-50249
Gaosheng Cui (1): staging: vme_user: Fix possible UAF in tsi148_dma_list_add Liang He (1): memory: of: Fix refcount leak bug in of_get_ddr_timings() drivers/memory/of_memory.c | 1 + drivers/vme/bridges/vme_tsi148.c | 1 + 2 files changed, 2 insertions(+) -- 2.25.1
From: Liang He <windhl@126.com> stable inclusion from stable-v4.19.262 commit 68c9c4e6495b825be3a8946df1a0148399555fe4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICY47H CVE: CVE-2022-50249 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 05215fb32010d4afb68fbdbb4d237df6e2d4567b ] We should add the of_node_put() when breaking out of for_each_child_of_node() as it will automatically increase and decrease the refcount. Fixes: e6b42eb6a66c ("memory: emif: add device tree support to emif driver") Signed-off-by: Liang He <windhl@126.com> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Link: https://lore.kernel.org/r/20220719085640.1210583-1-windhl@126.com Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Tong Tiangen <tongtiangen@huawei.com> --- drivers/memory/of_memory.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/memory/of_memory.c b/drivers/memory/of_memory.c index 2f5ed7366eec..83a559d48f93 100644 --- a/drivers/memory/of_memory.c +++ b/drivers/memory/of_memory.c @@ -135,6 +135,7 @@ const struct lpddr2_timings *of_get_ddr_timings(struct device_node *np_ddr, for_each_child_of_node(np_ddr, np_tim) { if (of_device_is_compatible(np_tim, tim_compat)) { if (of_do_get_timings(np_tim, &timings[i])) { + of_node_put(np_tim); devm_kfree(dev, timings); goto default_timings; } -- 2.25.1
From: Gaosheng Cui <cuigaosheng1@huawei.com> stable inclusion from stable-v4.19.270 commit e6b0adff99edf246ba1f8d464530a0438cb1cbda category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYQLO CVE: CVE-2022-50384 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 357057ee55d3c99a5de5abe8150f7bca04f8e53b ] Smatch report warning as follows: drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn: '&entry->list' not removed from list In tsi148_dma_list_add(), the error path "goto err_dma" will not remove entry->list from list->entries, but entry will be freed, then list traversal may cause UAF. Fix by removeing it from list->entries before free(). Fixes: b2383c90a9d6 ("vme: tsi148: fix first DMA item mapping") Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Link: https://lore.kernel.org/r/20221117035914.2954454-1-cuigaosheng1@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Tong Tiangen <tongtiangen@huawei.com> --- drivers/vme/bridges/vme_tsi148.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/vme/bridges/vme_tsi148.c b/drivers/vme/bridges/vme_tsi148.c index 647d231d4422..b1be12dc61eb 100644 --- a/drivers/vme/bridges/vme_tsi148.c +++ b/drivers/vme/bridges/vme_tsi148.c @@ -1775,6 +1775,7 @@ static int tsi148_dma_list_add(struct vme_dma_list *list, return 0; err_dma: + list_del(&entry->list); err_dest: err_source: err_align: -- 2.25.1
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/18174 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/KGP... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/18174 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/KGP...
participants (2)
-
patchwork bot -
Tong Tiangen