Commit b1bfbccc authored Feb 28, 2024 by Zhipeng Lu Committed by Hui Tang Feb 28, 2024

drivers/amd/pm: fix a use-after-free in kv_parse_power_table

stable inclusion
from stable-v4.19.305
commit 8a27d9d9fc9b5564b8904c3a77a7dea482bfa34e
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I94FUJ
CVE: CVE-2023-52469

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8a27d9d9fc9b5564b8904c3a77a7dea482bfa34e



--------------------------------

[ Upstream commit 28dd788382c43b330480f57cd34cde0840896743 ]

When ps allocated by kzalloc equals to NULL, kv_parse_power_table
frees adev->pm.dpm.ps that allocated before. However, after the control
flow goes through the following call chains:

kv_parse_power_table
  |-> kv_dpm_init
        |-> kv_dpm_sw_init
	      |-> kv_dpm_fini

The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its
first free in kv_parse_power_table and causes a use-after-free bug.

Fixes: a2e73f56 ("drm/amdgpu: Add support for CIK parts")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Hui Tang <tanghui20@huawei.com>

parent f4144fbf

drivers/gpu/drm/amd/amdgpu/kv_dpm.c

+1 −3

Original line number	Diff line number	Diff line
		@@ -2746,10 +2746,8 @@ static int kv_parse_power_table(struct amdgpu_device *adev)
		non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *)
		&non_clock_info_array->nonClockInfo[non_clock_array_index];
		ps = kzalloc(sizeof(struct kv_ps), GFP_KERNEL);
		if (ps == NULL) {
		kfree(adev->pm.dpm.ps);
		if (ps == NULL)
		return -ENOMEM;
		}
		adev->pm.dpm.ps[i].ps_priv = ps;
		k = 0;
		idx = (u8 *)&power_state->v2.clockInfoIndex[0];