[PATCH openEuler-1.0-LTS] hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails

29 Oct 2024

From: Gaosheng Cui cuigaosheng1@huawei.com
stable inclusion
from stable-v4.19.268
commit 24b9633f7db7f4809be7053df1d2e117e7c2de10
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRE1
CVE: CVE-2022-49029
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit e2a87785aab0dac190ac89be6a9ba955e2c634f2 ]
Smatch report warning as follows:
drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn:
  '&data->list' not removed from list
If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will
be freed, but data->list will not be removed from driver_data.bmc_data,
then list traversal may cause UAF.
Fix by removeing it from driver_data.bmc_data before free().
Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver")
Signed-off-by: Gaosheng Cui cuigaosheng1@huawei.com
Link: https://lore.kernel.org/r/20221117034423.2935739-1-cuigaosheng1@huawei.com
Signed-off-by: Guenter Roeck linux@roeck-us.net
Signed-off-by: Sasha Levin sashal@kernel.org
Signed-off-by: Cui GaoSheng cuigaosheng1@huawei.com
---
 drivers/hwmon/ibmpex.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/hwmon/ibmpex.c b/drivers/hwmon/ibmpex.c
index ab72cabf5a95..e289c845f970 100644
--- a/drivers/hwmon/ibmpex.c
+++ b/drivers/hwmon/ibmpex.c
@@ -517,6 +517,7 @@ static void ibmpex_register_bmc(int iface, struct device *dev)
    return;
out_register:
+	list_del(&data->list);
    hwmon_device_unregister(data->hwmon_dev);
 out_user:
    ipmi_destroy_user(data->user);
-- 
2.34.1


    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-1.0-LTS] hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails