Commit 27d6627f authored Jan 06, 2025 by Todd Kjos Committed by Zeng Heng Jan 06, 2025

PCI: Fix reset_method_store() memory leak

stable inclusion
from stable-v6.6.64
commit 8e098baf6bc3f3a6aefc383509aba07e202f7ee0
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEGF6
CVE: CVE-2024-56745

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8e098baf6bc3f3a6aefc383509aba07e202f7ee0

--------------------------------

[ Upstream commit 2985b1844f3f3447f2d938eff1ef6762592065a5 ]

In reset_method_store(), a string is allocated via kstrndup() and assigned
to the local "options". options is then used in with strsep() to find
spaces:

  while ((name = strsep(&options, " ")) != NULL) {

If there are no remaining spaces, then options is set to NULL by strsep(),
so the subsequent kfree(options) doesn't free the memory allocated via
kstrndup().

Fix by using a separate tmp_options to iterate with strsep() so options is
preserved.

Link: https://lore.kernel.org/r/20241001231147.3583649-1-tkjos@google.com


Fixes: d88f521d ("PCI: Allow userspace to query and set device reset mechanism")
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Zeng Heng <zengheng4@huawei.com>

parent 99141177

drivers/pci/pci.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -5463,7 +5463,7 @@ static ssize_t reset_method_store(struct device *dev,
		const char *buf, size_t count)
		{
		struct pci_dev *pdev = to_pci_dev(dev);
		char options, name;
		char options, tmp_options, *name;
		int m, n;
		u8 reset_methods[PCI_NUM_RESET_METHODS] = { 0 };

		@@ -5483,7 +5483,8 @@ static ssize_t reset_method_store(struct device *dev,
		return -ENOMEM;

		n = 0;
		while ((name = strsep(&options, " ")) != NULL) {
		tmp_options = options;
		while ((name = strsep(&tmp_options, " ")) != NULL) {
		if (sysfs_streq(name, ""))
		continue;