mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-12 21:57:43 +00:00
3093ee182f
Our code analyzer reported a UAF.
In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of
siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via
kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a
freed object. After, the execution continue up to the err_out branch of
siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr).
My patch moves "mr->mem = mem" behind the if (xa_alloc_cyclic(..)<0) {}
section, to avoid the uaf.
Fixes:
|
||
---|---|---|
.. | ||
iwarp.h | ||
Kconfig | ||
Makefile | ||
siw.h | ||
siw_cm.c | ||
siw_cm.h | ||
siw_cq.c | ||
siw_main.c | ||
siw_mem.c | ||
siw_mem.h | ||
siw_qp.c | ||
siw_qp_rx.c | ||
siw_qp_tx.c | ||
siw_verbs.c | ||
siw_verbs.h |