Commit aaa3d408 authored Dec 18, 2024 by He Yujie

gpiolib: fix memory use-after-free in gpiochip_setup_dev()

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB8UN5


CVE: CVE-2022-48975

--------------------------------

Commit aa1e2bfd attempt to fix a CVE problem, but the patch
conflicted with current version. When the patch is adapted,
an error is introduced in the function of gpiochip_add_data_with_key.
After the gdev is released, the gdev is still accessed, resulting in
use-after-free.

The value of gdev->ngpio is assigned from gc->ngpio and is not changed
during the processing of function. Therefore, this patch changes
gdev->ngpio to gc->ngpio to solve the above use-after-free problem.

Fixes: aa1e2bfd ("gpiolib: fix memory leak in gpiochip_setup_dev()")
Signed-off-by: He Yujie <coka.heyujie@huawei.com>

parent 36ade961

drivers/gpio/gpiolib.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -795,7 +795,7 @@ int gpiochip_add_data_with_key(struct gpio_chip gc, void data,
		err_print_message:
		/* failures here can mean systems won't boot... */
		pr_err("%s: GPIOs %d..%d (%s) failed to register, %d\n", __func__,
		base, base + gdev->ngpio - 1,
		base, base + (int)gc->ngpio - 1,
		gc->label ? : "generic", ret);
		return ret;
		}