PCI: Fix reset_method_store() memory leak
[ Upstream commit 2985b1844f3f3447f2d938eff1ef6762592065a5 ]
In reset_method_store(), a string is allocated via kstrndup() and assigned
to the local "options". options is then used in with strsep() to find
spaces:
while ((name = strsep(&options, " ")) != NULL) {
If there are no remaining spaces, then options is set to NULL by strsep(),
so the subsequent kfree(options) doesn't free the memory allocated via
kstrndup().
Fix by using a separate tmp_options to iterate with strsep() so options is
preserved.
BUG=b/388469340
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2024-56745 in the Linux kernel.
cos-patch: security-moderate
Link: https://lore.kernel.org/r/20241001231147.3583649-1-tkjos@google.com
Fixes: d88f521da3ef ("PCI: Allow userspace to query and set device reset mechanism")
Change-Id: I084bc723a23a6952a372d7219a4365f7f416c779
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kernel CVE Triage Automation <cloud-image-kernel-cve-triage-automation@prod.google.com>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/89860
Reviewed-by: Kevin Berry <kpberry@google.com>
Reviewed-by: Shuo Yang <gshuoy@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index f759234..5f9a1ffa 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -5302,7 +5302,7 @@ static ssize_t reset_method_store(struct device *dev,
const char *buf, size_t count)
{
struct pci_dev *pdev = to_pci_dev(dev);
- char *options, *name;
+ char *options, *tmp_options, *name;
int m, n;
u8 reset_methods[PCI_NUM_RESET_METHODS] = { 0 };
@@ -5322,7 +5322,8 @@ static ssize_t reset_method_store(struct device *dev,
return -ENOMEM;
n = 0;
- while ((name = strsep(&options, " ")) != NULL) {
+ tmp_options = options;
+ while ((name = strsep(&tmp_options, " ")) != NULL) {
if (sysfs_streq(name, ""))
continue;
