resource leak in firmware/arm_scmi driver
Uwe Kleine-König
u.kleine-koenig at pengutronix.de
Mon Oct 10 01:45:45 PDT 2022
Hello,
during some janitorial cleanup I stumbled over a resource leak in
drivers/firmware/arm_scmi/driver.c.
The problem is as follows:
scmi_remove() might return early if info->users is non-zero. The driver
core however ignores the return value of scmi_remove() and removes the
device and frees the devm-allocated resources (e.g. *info).
So letting aside that some resources are never freed after a failed call
of scmi_remove(), the user of the scmi node will probably stumble over
accessing freed memory soon. I wouldn't be surprised if that was
exploitable.
I quickly tried to fix this issue, but didn't understand the driver good
enough. I think a fix would involve adding a get_device() call to
scmi_handle_get() to prevent scmi_remove() being called while a handle
exists.
Best regards
Uwe
--
Pengutronix e.K. | Uwe Kleine-König |
Industrial Linux Solutions | https://www.pengutronix.de/ |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20221010/41060df3/attachment.sig>
More information about the linux-arm-kernel
mailing list