[PATCH v2 0/2] Console/stdio use after free
Andy Shevchenko
andriy.shevchenko at linux.intel.com
Thu Jan 28 17:55:51 CET 2021
On Thu, Jan 28, 2021 at 02:12:38PM +0100, Nicolas Saenz Julienne wrote:
> With today's master, 70c2525c0d3c ('IOMUX: Stop dropped consoles')
> introduces a use after free in usb_kbd_remove():
>
> - usbkbd's stdio device is de-registered with stdio_deregister_dev(),
> the struct stdio_dev is freed.
>
> - iomux_doenv() is called, usbkbd removed from the console list, and
> console_stop() is called on the struct stdio_dev pointer that no
> longer exists.
>
> This series mitigates this by making sure the pointer is really a stdio
> device prior performing the stop operation. It's not ideal, but I
> couldn't figure out a nicer way to fix this.
I have just sent another approach, can you test it instead, please?
--
With Best Regards,
Andy Shevchenko
More information about the U-Boot
mailing list