Commit c1a214ad authored by John Hubbard's avatar John Hubbard Committed by Greg Kroah-Hartman
Browse files

mei: fix use-after-free in mei_cl_write 



KASAN reports a use-after-free during startup, in mei_cl_write:

    BUG: KASAN: use-after-free in mei_cl_write+0x601/0x870 [mei]
       (drivers/misc/mei/client.c:1770)

This is caused by commit 98e70866 ("mei: add support for variable
length mei headers."), which changed the return value from len, to
buf->size. That ends up using a stale buf pointer, because blocking
call, the cb (callback) is deleted in me_cl_complete() function.

However, fortunately, len remains unchanged throughout the function
(and I don't see anything else that would require re-reading buf->size
either), so the fix is to simply revert the change, and return len, as
before.

Fixes: 98e70866 ("mei: add support for variable length mei headers.")
CC: Arnd Bergmann <arnd@arndb.de>
CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarJohn Hubbard <jhubbard@nvidia.com>
Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 8d2d8935

drivers/misc/mei/client.c

+1 −1
Original line number Diff line number Diff line
@@ -1767,7 +1767,7 @@ out: 
		}

	}



	rets = buf->size;

	rets = len;

err:

	cl_dbg(dev, cl, "rpm: autosuspend\n");

	pm_runtime_mark_last_busy(dev->dev);

CRA Git | Maintained and supported by SUSTech CRA and CCSE