Re: [PATCH] cfg80211: reg: Fix use-after-free in call_crda

From: Johannes Berg
Date: Fri Feb 22 2019 - 08:00:18 EST

Next message: Borislav Petkov: "Re: [PATCHv7] x86/kdump: bugfix, make the behavior of crashkernel=X consistent with kaslr"
Previous message: Peter Zijlstra: "Re: [PATCH] sched/x86: Save [ER]FLAGS on context switch"
In reply to: Yue Haibing: "[PATCH] cfg80211: reg: Fix use-after-free in call_crda"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

> In function reg_query_database, query_regdb_file call
> request_firmware_nowait to do request_firmware asynchronously,
> which need the caller hold the reference of dev, otherwise it will
> do put_device freeing '&reg_pdev->dev'. After that, call_crda access
> the dev will trigger use-after-free bug.

So ... OK, but how does that then only fix the firmware file loading,
rather than CRDA calling?

> This patch fix this by holding a reference of dev in regulatory_init
> after platform_device_register_simple registered successly, which
> releasing in platform_device_unregister.

This doesn't make sense? You just add a new reference and don't release
it? If there was a bug then just loading & unloading would trigger an
underflow now?

platform_device_register_full() (to which _simple is a wrapper) will
evidently return the pdev with a reference held, because it does
platform_device_put() in the error path?

johannes

Next message: Borislav Petkov: "Re: [PATCHv7] x86/kdump: bugfix, make the behavior of crashkernel=X consistent with kaslr"
Previous message: Peter Zijlstra: "Re: [PATCH] sched/x86: Save [ER]FLAGS on context switch"
In reply to: Yue Haibing: "[PATCH] cfg80211: reg: Fix use-after-free in call_crda"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]