net: arc_emac: Fix use after free in arc_mdio_probe()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If bus->state is equal to MDIOBUS_ALLOCATED, mdiobus_free(bus) will free
the "bus". But bus->name is still used in the next line, which will lead
to a use after free.

We can fix it by putting the name in a local variable and make the
bus->name point to the rodata section "name",then use the name in the
error message without referring to bus to avoid the uaf.

Fixes: 95b5fc03c189 ("net: arc_emac: Make use of the helper function dev_err_probe()")
Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
Link: https://lore.kernel.org/r/20220309121824.36529-1-niejianglei2021@163.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Jianglei Nie and committed by

Jakub Kicinski 4 years ago bc0e610a 633593a8

+3 -2

1 changed file

expand all

drivers

net

ethernet

arc

emac_mdio.c

+3 -2

drivers/net/ethernet/arc/emac_mdio.c

··· 132 132 { 133 133 struct arc_emac_mdio_bus_data *data = &priv->bus_data; 134 134 struct device_node *np = priv->dev->of_node; 135 + const char *name = "Synopsys MII Bus"; 135 136 struct mii_bus *bus; 136 137 int error; 137 138 ··· 143 142 priv->bus = bus; 144 143 bus->priv = priv; 145 144 bus->parent = priv->dev; 146 - bus->name = "Synopsys MII Bus"; 145 + bus->name = name; 147 146 bus->read = &arc_mdio_read; 148 147 bus->write = &arc_mdio_write; 149 148 bus->reset = &arc_mdio_reset; ··· 168 167 if (error) { 169 168 mdiobus_free(bus); 170 169 return dev_err_probe(priv->dev, error, 171 - "cannot register MDIO bus %s\n", bus->name); 170 + "cannot register MDIO bus %s\n", name); 172 171 } 173 172 174 173 return 0;