Searched hist:"9 cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95" (Results 1 – 1 of 1) sorted by relevance
| /openbmc/linux/drivers/firmware/efi/ |
| H A D | capsule-loader.c | diff 9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95 Wed Sep 07 11:07:14 CDT 2022 Hyunwoo Kim <imv4bel@gmail.com> efi: capsule-loader: Fix use-after-free in efi_capsule_write
A race condition may occur if the user calls close() on another thread
during a write() operation on the device node of the efi capsule.
This is a race condition that occurs between the efi_capsule_write() and
efi_capsule_flush() functions of efi_capsule_fops, which ultimately
results in UAF.
So, the page freeing process is modified to be done in
efi_capsule_release() instead of efi_capsule_flush().
Cc: <stable@vger.kernel.org> # v4.9+
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Link: https://lore.kernel.org/all/20220907102920.GA88602@ubuntu/
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
|