Commit eda559a2 authored Mar 18, 2025 by Zhihao Cheng Committed by Wang Zhaolong Mar 18, 2025

ubi: ubi_create_volume: Fix use-after-free when volume creation failed

stable inclusion
from stable-v4.19.247
commit abb67043060f2bf4c03d7c3debb9ae980e2b6db3
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP1CU
CVE: CVE-2022-49388

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=abb67043060f2bf4c03d7c3debb9ae980e2b6db3

--------------------------------

[ Upstream commit 8c03a1c2 ]

There is an use-after-free problem for 'eba_tbl' in ubi_create_volume()'s
error handling path:

  ubi_eba_replace_table(vol, eba_tbl)
    vol->eba_tbl = tbl
out_mapping:
  ubi_eba_destroy_table(eba_tbl)   // Free 'eba_tbl'
out_unlock:
  put_device(&vol->dev)
    vol_release
      kfree(tbl->entries)	  // UAF

Fix it by removing redundant 'eba_tbl' releasing.
Fetch a reproducer in [Link].

Fixes: 493cfaea ("mtd: utilize new cdev_device_add helper function")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=215965


Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Wang Zhaolong <wangzhaolong1@huawei.com>

parent 259b1112

drivers/mtd/ubi/vmt.c

+0 −1

Original line number	Diff line number	Diff line
		@@ -328,7 +328,6 @@ int ubi_create_volume(struct ubi_device ubi, struct ubi_mkvol_req req)
		ubi->volumes[vol_id] = NULL;
		ubi->vol_count -= 1;
		spin_unlock(&ubi->volumes_lock);
		ubi_eba_destroy_table(eba_tbl);
		out_acc:
		spin_lock(&ubi->volumes_lock);
		ubi->rsvd_pebs -= vol->reserved_pebs;