[PATCH] mtd: Fix potential UAF for mtdswap_dev pointers

Miquel Raynal miquel.raynal at bootlin.com
Mon Feb 24 07:36:30 PST 2025


Hello Ma,

On 24/02/2025 at 21:30:07 +08, Ma Ke <make24 at iscas.ac.cn> wrote:

> In the mtdswap_init(), if the allocations fail, the error handling
> path frees d->page_buf, d->eb_data, d->revmap and d->page_data without
> setting these pointers to NULL. This could lead to UAF if subsequent
> error handling or device reset operations attempt to release these
> pointers again.
>
> Set d->page_buf, d->eb_data, d->revmap and d->page_data to NULL
> immediately after freeing them to prevent misuse. Release immediately
> and set to NULL, adhering to the 'release implies invalid' defensive
> programming principle.
>
> Found by code review.
>
> Cc: stable at vger.kernel.org
> Fixes: a32159024620 ("mtd: Add mtdswap block driver")

I am sorry but are you really fixing something? There are thousand of
drivers doing nothing with their freed pointers in the error path,
because they just cannot be used anymore.

Thanks,
Miquèl



More information about the linux-mtd mailing list