Skip to content

Commit

Permalink
mei: fix use-after-free in mei_cl_write
Browse files Browse the repository at this point in the history 
KASAN reports a use-after-free during startup, in mei_cl_write:

    BUG: KASAN: use-after-free in mei_cl_write+0x601/0x870 [mei]
       (drivers/misc/mei/client.c:1770)

This is caused by commit 98e7086 ("mei: add support for variable
length mei headers."), which changed the return value from len, to
buf->size. That ends up using a stale buf pointer, because blocking
call, the cb (callback) is deleted in me_cl_complete() function.

However, fortunately, len remains unchanged throughout the function
(and I don't see anything else that would require re-reading buf->size
either), so the fix is to simply revert the change, and return len, as
before.

Fixes: 98e7086 ("mei: add support for variable length mei headers.")
CC: Arnd Bergmann <[email protected]>
CC: Greg Kroah-Hartman <[email protected]>
Signed-off-by: John Hubbard <[email protected]>
Signed-off-by: Tomas Winkler <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
  • Loading branch information
@johnhubbard @gregkh
johnhubbard authored and gregkh committed Sep 12, 2018
1 parent 8d2d893 commit c1a214a
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/misc/mei/client.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1767,7 +1767,7 @@ ssize_t mei_cl_write(struct mei_cl *cl, struct mei_cl_cb *cb)
}
}

rets = buf->size;
rets = len;
err:
cl_dbg(dev, cl, "rpm: autosuspend\n");
pm_runtime_mark_last_busy(dev->dev);
Expand Down

0 comments on commit c1a214a

Please sign in to comment.