Message ID | 20240419174258.30309-2-bethany.jamison@canonical.com |
---|---|
State | New |
Headers | show |
Series | CVE-2024-26694 | expand |
On 19/04/2024 19:42, Bethany Jamison wrote: > From: Johannes Berg <johannes.berg@intel.com> > > commit 353d321f63f7dbfc9ef58498cc732c9fe886a596 upstream. > > The storage for the TLV PC register data wasn't done like all > the other storage in the drv->fw area, which is cleared at the > end of deallocation. Therefore, the freeing must also be done > differently, explicitly NULL'ing it out after the free, since > otherwise there's a nasty double-free bug here if a file fails > to load after this has been parsed, and we get another free > later (e.g. because no other file exists.) Fix that by adding > the missing NULL assignment. > > Cc: stable@vger.kernel.org > Fixes: 5e31b3df86ec ("wifi: iwlwifi: dbg: print pc register data once fw dump occurred") > Reported-by: Guy Kaplan <guy.kaplan@intel.com> > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > Reviewed-by: Gregory Greenman <gregory.greenman@intel.com> > Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com> > Link: https://msgid.link/20240123200528.675f3c24ec0d.I6ab4015cd78d82dd95471f840629972ef0331de3@changeid > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit d24eb9a27bea8fe5237fa71be274391d9d51eff2 linux-6.7.y) > CVE-2024-26694 > Signed-off-by: Bethany Jamison <bethany.jamison@canonical.com> > --- > drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c > index fb5e254757e71..8faf4e7872bb9 100644 > --- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c > +++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c > @@ -128,6 +128,7 @@ static void iwl_dealloc_ucode(struct iwl_drv *drv) > kfree(drv->fw.ucode_capa.cmd_versions); > kfree(drv->fw.phy_integration_ver); > kfree(drv->trans->dbg.pc_data); > + drv->trans->dbg.pc_data = NULL; > > for (i = 0; i < IWL_UCODE_TYPE_MAX; i++) > iwl_free_fw_img(drv, drv->fw.img + i); Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c index fb5e254757e71..8faf4e7872bb9 100644 --- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c @@ -128,6 +128,7 @@ static void iwl_dealloc_ucode(struct iwl_drv *drv) kfree(drv->fw.ucode_capa.cmd_versions); kfree(drv->fw.phy_integration_ver); kfree(drv->trans->dbg.pc_data); + drv->trans->dbg.pc_data = NULL; for (i = 0; i < IWL_UCODE_TYPE_MAX; i++) iwl_free_fw_img(drv, drv->fw.img + i);