DivestOS/Patches/Linux_CVEs/CVE-2017-9684/1.patch

61 lines
1.8 KiB
Diff

From 83cf9f50cda5ab3f99055242bebbcb26d96319ad Mon Sep 17 00:00:00 2001
From: Jack Pham <jackp@codeaurora.org>
Date: Wed, 6 Aug 2014 19:52:49 -0700
Subject: [PATCH] usb: gadget: qc_rndis: Properly handle rndis_ipa_init failure
Currently if rndis_ipa_init() fails port->func doesn't get
removed from the configuration list, and will lead to a
use-after-free when the calling function later tries to remove
the function. Fix this to handle the failure gracefully and only
call usb_add_function() if it succeeded.
Bug: 35136547
Change-Id: I2ad0dfeaea6b5b6ba1e47aad564ac052348677e6
Signed-off-by: Jack Pham <jackp@codeaurora.org>
---
drivers/usb/gadget/f_qc_rndis.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/drivers/usb/gadget/f_qc_rndis.c b/drivers/usb/gadget/f_qc_rndis.c
index dfa3dd6ed18dd..819bde5072a39 100644
--- a/drivers/usb/gadget/f_qc_rndis.c
+++ b/drivers/usb/gadget/f_qc_rndis.c
@@ -1206,25 +1206,27 @@ rndis_qc_bind_config_vendor(struct usb_configuration *c, u8 ethaddr[ETH_ALEN],
_rndis_qc = rndis;
+ if (rndis->xport == USB_GADGET_XPORT_BAM2BAM_IPA) {
+ status = rndis_ipa_init(&rndis_ipa_params);
+ if (status) {
+ pr_err("%s: failed to init rndis_ipa\n", __func__);
+ goto fail;
+ }
+ }
+
status = usb_add_function(c, &rndis->port.func);
if (status) {
- kfree(rndis);
+ if (rndis->xport == USB_GADGET_XPORT_BAM2BAM_IPA)
+ rndis_ipa_cleanup(rndis_ipa_params.private);
goto fail;
}
if (rndis->xport != USB_GADGET_XPORT_BAM2BAM_IPA)
return status;
- status = rndis_ipa_init(&rndis_ipa_params);
- if (status) {
- pr_err("%s: failed to initialize rndis_ipa\n", __func__);
- kfree(rndis);
- goto fail;
- } else {
- pr_debug("%s: rndis_ipa successful created\n", __func__);
- return status;
- }
fail:
+ kfree(rndis);
+ _rndis_qc = NULL;
rndis_exit();
return status;
}