[PATCH] net: phy: ncsi: fixed not nullify the pointers after free
The issue occurs the UAF (use-after-free) to cause double free when do the realloc function for the pointers during the reinitialization NC-SI process, and it will cause the memory management occurs error. So, nullify these pointers after free.
Signed-off-by: Jacky Chou jacky_chou@aspeedtech.com --- drivers/net/phy/ncsi.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/phy/ncsi.c b/drivers/net/phy/ncsi.c index eb3fd65bb4..9689385884 100644 --- a/drivers/net/phy/ncsi.c +++ b/drivers/net/phy/ncsi.c @@ -619,9 +619,12 @@ static void ncsi_handle_aen(struct ip_udp_hdr *ip, unsigned int len)
/* Link or configuration lost - just redo the discovery process */ ncsi_priv->state = NCSI_PROBE_PACKAGE_SP; - for (i = 0; i < ncsi_priv->n_packages; i++) + for (i = 0; i < ncsi_priv->n_packages; i++) { free(ncsi_priv->packages[i].channels); + ncsi_priv->packages[i].channels = NULL; + } free(ncsi_priv->packages); + ncsi_priv->packages = NULL; ncsi_priv->n_packages = 0;
ncsi_priv->current_package = NCSI_PACKAGE_MAX;
On Fri, Dec 29, 2023 at 09:45:55AM +0800, Jacky Chou wrote:
The issue occurs the UAF (use-after-free) to cause double free when do the realloc function for the pointers during the reinitialization NC-SI process, and it will cause the memory management occurs error. So, nullify these pointers after free.
Signed-off-by: Jacky Chou jacky_chou@aspeedtech.com
Applied to u-boot/next, thanks!
participants (2)
-
Jacky Chou -
Tom Rini