Re: [PATCH 1/6] property: add fwnode_property_read_string_index()

From: Clément Léger
Date: Fri Mar 18 2022 - 12:50:48 EST

Next message: Nam Cao: "[PATCH] staging: sm750fb: add necessary #include in sm750_accel.h, sm750_cursor.h"
Previous message: Dan Vacura: "[PATCH v2] usb: gadget: uvc: Fix crash when encoding data for usb request"
In reply to: Andy Shevchenko: "Re: [PATCH 1/6] property: add fwnode_property_read_string_index()"
Next in thread: Andy Shevchenko: "Re: [PATCH 1/6] property: add fwnode_property_read_string_index()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le Fri, 18 Mar 2022 18:26:00 +0200,
Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx> a écrit :

> On Fri, Mar 18, 2022 at 05:00:47PM +0100, Clément Léger wrote:
> > Add fwnode_property_read_string_index() function which allows to
> > retrieve a string from an array by its index. This function is the
> > equivalent of of_property_read_string_index() but for fwnode support.
>
> ...
>
> > + values = kcalloc(nval, sizeof(*values), GFP_KERNEL);
> > + if (!values)
> > + return -ENOMEM;
> > +
> > + ret = fwnode_property_read_string_array(fwnode, propname, values, nval);
> > + if (ret < 0)
> > + goto out;
> > +
> > + *string = values[index];
> > +out:
> > + kfree(values);
>
> Here is UAF (use after free). How is it supposed to work?
>

values is an array of pointers. I'm only retrieving a pointer out of
it.

--
Clément Léger,
Embedded Linux and Kernel engineer at Bootlin
https://bootlin.com

Next message: Nam Cao: "[PATCH] staging: sm750fb: add necessary #include in sm750_accel.h, sm750_cursor.h"
Previous message: Dan Vacura: "[PATCH v2] usb: gadget: uvc: Fix crash when encoding data for usb request"
In reply to: Andy Shevchenko: "Re: [PATCH 1/6] property: add fwnode_property_read_string_index()"
Next in thread: Andy Shevchenko: "Re: [PATCH 1/6] property: add fwnode_property_read_string_index()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]