diff options
| author | Hyunwoo Kim <[email protected]> | 2022-09-07 09:07:14 -0700 |
|---|---|---|
| committer | Ard Biesheuvel <[email protected]> | 2022-09-07 18:23:56 +0200 |
| commit | 9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95 (patch) | |
| tree | bd9589d71ff723e58ae7ef421691f7728e7e8e0c /drivers/net/wwan/iosm/iosm_ipc_protocol.c | |
| parent | 7a1ec84ffba9e90ac772ddb33ea9c3899ed8d2c9 (diff) | |
efi: capsule-loader: Fix use-after-free in efi_capsule_write
A race condition may occur if the user calls close() on another thread
during a write() operation on the device node of the efi capsule.
This is a race condition that occurs between the efi_capsule_write() and
efi_capsule_flush() functions of efi_capsule_fops, which ultimately
results in UAF.
So, the page freeing process is modified to be done in
efi_capsule_release() instead of efi_capsule_flush().
Cc: <[email protected]> # v4.9+
Signed-off-by: Hyunwoo Kim <[email protected]>
Link: https://lore.kernel.org/all/20220907102920.GA88602@ubuntu/
Signed-off-by: Ard Biesheuvel <[email protected]>
Diffstat (limited to 'drivers/net/wwan/iosm/iosm_ipc_protocol.c')
0 files changed, 0 insertions, 0 deletions