Skip to content

Commit

Permalink
hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails
Browse files Browse the repository at this point in the history 
[ Upstream commit e2a8778 ]

Smatch report warning as follows:

drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn:
  '&data->list' not removed from list

If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will
be freed, but data->list will not be removed from driver_data.bmc_data,
then list traversal may cause UAF.

Fix by removeing it from driver_data.bmc_data before free().

Fixes: 57c7c3a ("hwmon: IBM power meter driver")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221117034423.2935739-1-cuigaosheng1@huawei.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
  • Loading branch information
@gscui @gregkh
gscui authored and gregkh committed Dec 8, 2022
1 parent 30a65b0 commit e65cfd1
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions drivers/hwmon/ibmpex.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -502,6 +502,7 @@ static void ibmpex_register_bmc(int iface, struct device *dev)
return;

out_register:
list_del(&data->list);
hwmon_device_unregister(data->hwmon_dev);
out_user:
ipmi_destroy_user(data->user);
Expand Down

0 comments on commit e65cfd1

Please sign in to comment.