Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ee3b53d8 authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman
Browse files

drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl 

commit c8ea3663f7a8e6996d44500ee818c9330ac4fd88 upstream.

strndup_user() returns error pointers on error, and then in the error
handling we pass the error pointers to kfree().  It will cause an Oops.

Link: http://lkml.kernel.org/r/20181218082003.GD32567@kadam


Fixes: 6db71994 ("drivers/virt: introduce Freescale hypervisor management driver")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Cc: Timur Tabi <timur@freescale.com>
Cc: Mihai Caraman <mihai.caraman@freescale.com>
Cc: Kumar Gala <galak@kernel.crashing.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent afa485dc

drivers/virt/fsl_hypervisor.c

+13 −13
Original line number Diff line number Diff line
@@ -331,8 +331,8 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) 
	struct fsl_hv_ioctl_prop param;

	char __user *upath, *upropname;

	void __user *upropval;

	char *path = NULL, *propname = NULL;

	void *propval = NULL;

	char *path, *propname;

	void *propval;

	int ret = 0;



	/* Get the parameters from the user. */
@@ -344,32 +344,30 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) 
	upropval = (void __user *)(uintptr_t)param.propval;



	path = strndup_user(upath, FH_DTPROP_MAX_PATHLEN);

	if (IS_ERR(path)) {

		ret = PTR_ERR(path);

		goto out;

	}

	if (IS_ERR(path))

		return PTR_ERR(path);



	propname = strndup_user(upropname, FH_DTPROP_MAX_PATHLEN);

	if (IS_ERR(propname)) {

		ret = PTR_ERR(propname);

		goto out;

		goto err_free_path;

	}



	if (param.proplen > FH_DTPROP_MAX_PROPLEN) {

		ret = -EINVAL;

		goto out;

		goto err_free_propname;

	}



	propval = kmalloc(param.proplen, GFP_KERNEL);

	if (!propval) {

		ret = -ENOMEM;

		goto out;

		goto err_free_propname;

	}



	if (set) {

		if (copy_from_user(propval, upropval, param.proplen)) {

			ret = -EFAULT;

			goto out;

			goto err_free_propval;

		}



		param.ret = fh_partition_set_dtprop(param.handle,
@@ -388,7 +386,7 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) 
			if (copy_to_user(upropval, propval, param.proplen) ||

			    put_user(param.proplen, &p->proplen)) {

				ret = -EFAULT;

				goto out;

				goto err_free_propval;

			}

		}

	}
@@ -396,10 +394,12 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) 
	if (put_user(param.ret, &p->ret))

		ret = -EFAULT;



out:

	kfree(path);

err_free_propval:

	kfree(propval);

err_free_propname:

	kfree(propname);

err_free_path:

	kfree(path);



	return ret;

}