RE: [PATCH] EDAC/sysfs: Fix UAF in edac_device_register_sysfs_main_kobj()

[Zhuo, Qiuxu]

> From: Guangshuo Li <lgs201920130244@xxxxxxxxx>
> [...]
> Subject: [PATCH] EDAC/sysfs: Fix UAF in
> edac_device_register_sysfs_main_kobj()
> 
> If kobject_init_and_add() fails, the error path drops the kobject reference with
> kobject_put(). This may call edac_device_ctrl_master_release(), which drops
> the module reference and frees the edac_device_ctl_info object.
> 
> However, the same error path then calls module_put(edac_dev->owner),
> which dereferences edac_dev after it may have been freed. This can cause a
> use-after-free and also drops the module reference twice.
> 
> Track whether kobject_init_and_add() has been called. If it has, rely on the
> kobject release callback to drop the module reference. Otherwise, drop the
> module reference directly.
> 
> This issue was found by a static analysis tool I am developing.
> 
> Fixes: 17ed808ad2431 ("EDAC: Fix reference count leaks")
> Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
> ---
>  drivers/edac/edac_device_sysfs.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/edac/edac_device_sysfs.c
> b/drivers/edac/edac_device_sysfs.c
> index fcebc4ffea26..32460c6dfb7c 100644
> --- a/drivers/edac/edac_device_sysfs.c
> +++ b/drivers/edac/edac_device_sysfs.c
> @@ -231,6 +231,7 @@ int edac_device_register_sysfs_main_kobj(struct
> edac_device_ctl_info *edac_dev)
>  	struct device *dev_root;
>  	const struct bus_type *edac_subsys;
>  	int err = -ENODEV;
> +	bool kobj_initialized = false;
> 
>  	edac_dbg(1, "\n");
> 
> @@ -261,6 +262,7 @@ int edac_device_register_sysfs_main_kobj(struct
> edac_device_ctl_info *edac_dev)
>  	if (err) {
>  		edac_dbg(1, "Failed to register '.../edac/%s'\n",
>  			 edac_dev->name);
> +		kobj_initialized = true;

This looks incorrect  - the flag is marked true on failure ???

[...]