Commit eb2aa542 authored by Alexey Khoroshilov's avatar Alexey Khoroshilov Committed by Pu Lehui
Browse files

mISDN: Fix memory leak in dsp_pipeline_build() 

mainline inclusion
from mainline-v5.17-rc8
commit c6a502c2
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADGSF
CVE: CVE-2022-48863

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c6a502c22999



--------------------------------

dsp_pipeline_build() allocates dup pointer by kstrdup(cfg),
but then it updates dup variable by strsep(&dup, "|").
As a result when it calls kfree(dup), the dup variable contains NULL.

Found by Linux Driver Verification project (linuxtesting.org) with SVACE.

Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
Fixes: 960366cf ("Add mISDN DSP")
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Conflicts:
	drivers/isdn/mISDN/dsp_pipeline.c
[The conflicts were due to not merge some unnecessary commit]
Signed-off-by: default avatarPu Lehui <pulehui@huawei.com>
parent 9bfba252

drivers/isdn/mISDN/dsp_pipeline.c

+3 −3
Original line number Original line Diff line number Diff line
@@ -236,7 +236,7 @@ void dsp_pipeline_destroy(struct dsp_pipeline *pipeline) 
int dsp_pipeline_build(struct dsp_pipeline *pipeline, const char *cfg)

int dsp_pipeline_build(struct dsp_pipeline *pipeline, const char *cfg)

{

{

	int incomplete = 0, found = 0;

	int incomplete = 0, found = 0;

	char *dup, *tok, *name, *args;

	char *dup, *next, *tok, *name, *args;

	struct dsp_element_entry *entry, *n;

	struct dsp_element_entry *entry, *n;

	struct dsp_pipeline_entry *pipeline_entry;

	struct dsp_pipeline_entry *pipeline_entry;

	struct mISDN_dsp_element *elem;

	struct mISDN_dsp_element *elem;
@@ -247,10 +247,10 @@ int dsp_pipeline_build(struct dsp_pipeline *pipeline, const char *cfg) 
	if (!list_empty(&pipeline->list))

	if (!list_empty(&pipeline->list))

		_dsp_pipeline_destroy(pipeline);

		_dsp_pipeline_destroy(pipeline);





	dup = kstrdup(cfg, GFP_ATOMIC);

	dup = next = kstrdup(cfg, GFP_ATOMIC);

	if (!dup)

	if (!dup)

		return 0;

		return 0;

	while ((tok = strsep(&dup, "|"))) {

	while ((tok = strsep(&next, "|"))) {

		if (!strlen(tok))

		if (!strlen(tok))

			continue;

			continue;

		name = strsep(&tok, "(");

		name = strsep(&tok, "(");