[PATCH 6.1] platform/x86: android-platform: deref after free in x86_android_tablet_init() fix

Aleksandr Burakov posted 1 patch 2 months, 1 week ago
drivers/platform/x86/x86-android-tablets.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH 6.1] platform/x86: android-platform: deref after free in x86_android_tablet_init() fix
Posted by Aleksandr Burakov 2 months, 1 week ago
No upstream commit exists for this commit.

Pointer '&pdevs[i]' is dereferenced at x86_android_tablet_init()
after the referenced memory was deallocated by calling function
'x86_android_tablet_cleanup()'.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 5eba0141206e ("platform/x86: x86-android-tablets: Add support for instantiating platform-devs")
Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru>
---
 drivers/platform/x86/x86-android-tablets.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/platform/x86/x86-android-tablets.c b/drivers/platform/x86/x86-android-tablets.c
index 9178076d9d7d..9838c5332201 100644
--- a/drivers/platform/x86/x86-android-tablets.c
+++ b/drivers/platform/x86/x86-android-tablets.c
@@ -1853,8 +1853,9 @@ static __init int x86_android_tablet_init(void)
 	for (i = 0; i < pdev_count; i++) {
 		pdevs[i] = platform_device_register_full(&dev_info->pdev_info[i]);
 		if (IS_ERR(pdevs[i])) {
+			int ret = PTR_ERR(pdevs[i]);
 			x86_android_tablet_cleanup();
-			return PTR_ERR(pdevs[i]);
+			return ret;
 		}
 	}
 
-- 
2.25.1
Re: [lvc-patches] [PATCH 6.1] platform/x86: android-platform: deref after free in x86_android_tablet_init() fix
Posted by Sergey Shtylyov 2 months, 1 week ago
On 9/17/24 15:04, Aleksandr Burakov wrote:

> No upstream commit exists for this commit.
> 
> Pointer '&pdevs[i]' is dereferenced at x86_android_tablet_init()

   s/at/in.

> after the referenced memory was deallocated by calling function
> 'x86_android_tablet_cleanup()'.

   No quotes around a function name the 1st time, and here they are
the 2nd time. Please be consistent...

> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 5eba0141206e ("platform/x86: x86-android-tablets: Add support for instantiating platform-devs")
> Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru>
> ---
>  drivers/platform/x86/x86-android-tablets.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/platform/x86/x86-android-tablets.c b/drivers/platform/x86/x86-android-tablets.c
> index 9178076d9d7d..9838c5332201 100644
> --- a/drivers/platform/x86/x86-android-tablets.c
> +++ b/drivers/platform/x86/x86-android-tablets.c
> @@ -1853,8 +1853,9 @@ static __init int x86_android_tablet_init(void)
>  	for (i = 0; i < pdev_count; i++) {
>  		pdevs[i] = platform_device_register_full(&dev_info->pdev_info[i]);
>  		if (IS_ERR(pdevs[i])) {
> +			int ret = PTR_ERR(pdevs[i]);

   Need an empty line after the declartion, BTW...

>  			x86_android_tablet_cleanup();
> -			return PTR_ERR(pdevs[i]);
> +			return ret;
>  		}
>  	}

MBR, Sergey
Re: [PATCH 6.1] platform/x86: android-platform: deref after free in x86_android_tablet_init() fix
Posted by Hans de Goede 2 months, 1 week ago
Hi,

Thank you for your patch.

On 9/17/24 2:04 PM, Aleksandr Burakov wrote:
> No upstream commit exists for this commit.

Right, which is bad, especially since the upstream code actually still has this bug.

NACK.

Note that upstream in drivers/platform/x86/x86-android-tablets/core.c
the same issue is also present around line 447:

                pdevs[pdev_count] = platform_device_register_data(&pdev->dev, "gpio-keys",
                                                                  PLATFORM_DEVID_AUTO,
                                                                  &pdata, sizeof(pdata));
                if (IS_ERR(pdevs[pdev_count])) {
                        x86_android_tablet_remove(pdev);
                        return PTR_ERR(pdevs[pdev_count]);
                }
                pdev_count++;

Please submit a fix for both issues upstream, once that has been merged
you can submit a backport with a proper upstream commit reference.

Regards,

Hans





> 
> Pointer '&pdevs[i]' is dereferenced at x86_android_tablet_init()
> after the referenced memory was deallocated by calling function
> 'x86_android_tablet_cleanup()'.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 5eba0141206e ("platform/x86: x86-android-tablets: Add support for instantiating platform-devs")
> Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru>
> ---
>  drivers/platform/x86/x86-android-tablets.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/platform/x86/x86-android-tablets.c b/drivers/platform/x86/x86-android-tablets.c
> index 9178076d9d7d..9838c5332201 100644
> --- a/drivers/platform/x86/x86-android-tablets.c
> +++ b/drivers/platform/x86/x86-android-tablets.c
> @@ -1853,8 +1853,9 @@ static __init int x86_android_tablet_init(void)
>  	for (i = 0; i < pdev_count; i++) {
>  		pdevs[i] = platform_device_register_full(&dev_info->pdev_info[i]);
>  		if (IS_ERR(pdevs[i])) {
> +			int ret = PTR_ERR(pdevs[i]);
>  			x86_android_tablet_cleanup();
> -			return PTR_ERR(pdevs[i]);
> +			return ret;
>  		}
>  	}
>