[PATCH 0/2] Console/stdio use after free
Simon Glass
sjg at chromium.org
Wed Jan 20 15:59:34 CET 2021
Hi Nicolas,
On Wed, 20 Jan 2021 at 07:44, Nicolas Saenz Julienne
<nsaenzjulienne at suse.de> wrote:
>
> On Wed, 2021-01-20 at 07:18 -0700, Simon Glass wrote:
> > Hi Nicolas,
> >
> > On Wed, 20 Jan 2021 at 07:04, Nicolas Saenz Julienne
> > <nsaenzjulienne at suse.de> wrote:
> > >
> > > With today's master, 70c2525c0d3c ('IOMUX: Stop dropped consoles')
> > > introduces a use after free in usb_kbd_remove():
> > >
> > > - usbkbd's stdio device is de-registered with stdio_deregister_dev(),
> > > the struct stdio_dev is freed.
> > >
> > > - iomux_doenv() is called, usbkbd removed from the console list, and
> > > console_stop() is called on the struct stdio_dev pointer that no
> > > longer exists.
> > >
> > > This series mitigates this by making sure the pointer is really a stdio
> > > device prior performing the stop operation. It's not ideal, but I
> > > couldn't figure out a nicer way to fix this.
> >
> > Your 'from' address is coming through as just your email. Could you
> > please update it to include your name as well?
>
> OK, do you want me to re-send the series?
Not just for that, no.
Regards,
Simon
More information about the U-Boot
mailing list