Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ee5ae5fa authored by Yatish Kumar Singh's avatar Yatish Kumar Singh Committed by Vaishnavi AVS
Browse files

serial: msm_geni_serial: Avoid UAF memory access in exit path 



In issue case, geni_wake pointer is initialized while UART probe
and as a part of UART exit path wakeup_source_unregister is being
called to free the geni_wake pointer from memory but still caller
function can have the garbage value of geni_wake pointer which is
being accessed in uart_remove_one_port and leading to UAF.

To fix the issue we will make geni_wake pointer value as NULL after
freeing it to from memory.

Change-Id: I213026286bef9774f7a426b9348a7302d3e67ff0
Signed-off-by: default avatarYatish Kumar Singh <quic_yatishku@quicinc.com>
parent ca4e701e

drivers/tty/serial/msm_geni_serial.c

+2 −1
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2016-2021, The Linux Foundation. All rights reserved.

 * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.

 * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.

 */



#include <linux/bitmap.h>
@@ -3601,6 +3601,7 @@ static int msm_geni_serial_remove(struct platform_device *pdev) 


	if (!uart_console(&port->uport)) {

		wakeup_source_unregister(port->geni_wake);

		port->geni_wake = NULL;

		flush_workqueue(port->qwork);

		destroy_workqueue(port->qwork);

	}