SA1111: Eliminate use after free

Author: Julia Lawall <julia@diku.dk>

__sa1111_remove always frees its argument, so the subsequent reference to
sachip->saved_state represents a use after free.  __sa1111_remove does not
appear to use the saved_state field, so the patch simply frees it first.

A simplified version of the semantic patch that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// 
@@
expression E,E2;
@@

__sa1111_remove(E)
...
(
  E = E2
|
* E
)
// 

Signed-off-by: Julia Lawall 
Signed-off-by: Russell King

---
 arch/arm/common/sa1111.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
 
diff --git a/arch/arm/common/sa1111.c b/arch/arm/common/sa1111.c
index 6f80665..9eaf65f 100644
--- a/arch/arm/common/sa1111.c
+++ b/arch/arm/common/sa1111.c
@@ -1028,13 +1028,12 @@ static int sa1111_remove(struct platform_device *pdev)
 	struct sa1111 *sachip = platform_get_drvdata(pdev);
 
 	if (sachip) {
-		__sa1111_remove(sachip);
-		platform_set_drvdata(pdev, NULL);
-
 #ifdef CONFIG_PM
 		kfree(sachip->saved_state);
 		sachip->saved_state = NULL;
 #endif
+		__sa1111_remove(sachip);
+		platform_set_drvdata(pdev, NULL);
 	}
 
 	return 0;

SA1111: Eliminate use after free

qlambert

Archives

Posts by Subject