iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SA1111: Eliminate use after free

Browse Source 
__sa1111_remove always frees its argument, so the subsequent reference to
sachip->saved_state represents a use after free.  __sa1111_remove does not
appear to use the saved_state field, so the patch simply frees it first.

A simplified version of the semantic patch that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
expression E,E2;
@@

__sa1111_remove(E)
...
(
  E = E2
|
* E
)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
This commit is contained in:
Julia Lawall 2010-07-30 17:17:28 +02:00 committed by Russell King
parent 74bc80931c
commit f2d2420bbf
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
arch/arm/common/sa1111.c
View File

@ -1028,13 +1028,12 @@ static int sa1111_remove(struct platform_device *pdev)
struct sa1111 *sachip = platform_get_drvdata(pdev); struct sa1111 *sachip = platform_get_drvdata(pdev);
if (sachip) { if (sachip) {
__sa1111_remove(sachip);
platform_set_drvdata(pdev, NULL);
#ifdef CONFIG_PM #ifdef CONFIG_PM
kfree(sachip->saved_state); kfree(sachip->saved_state);
sachip->saved_state = NULL; sachip->saved_state = NULL;
#endif #endif
__sa1111_remove(sachip);
platform_set_drvdata(pdev, NULL);
} }
return 0; return 0;