[SRU][F][PATCH 3/3] eeprom: at24: fix memory corruption race condition

Hui Wang hui.wang at canonical.com
Mon Sep 9 01:10:40 UTC 2024 

From: Daniel Okazaki <dtokazaki at google.com>

If the eeprom is not accessible, an nvmem device will be registered, the
read will fail, and the device will be torn down. If another driver
accesses the nvmem device after the teardown, it will reference
invalid memory.

Move the failure point before registering the nvmem device.

Signed-off-by: Daniel Okazaki <dtokazaki at google.com>
Fixes: b20eb4c1f026 ("eeprom: at24: drop unnecessary label")
Cc: stable at vger.kernel.org
Link: https://lore.kernel.org/r/20240422174337.2487142-1-dtokazaki@google.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski at linaro.org>
(backported from commit f42c97027fb75776e2e9358d16bf4a99aeb04cf2)
[hui: This backporting drops pm_runtime_status_suspended(),
regulator_disable() and dev_err_probe() since there are several
prerequisite commits missing in the focal kernel:
cd5676db0574 ("misc: eeprom: at24: support pm_runtime control")
2962484dfef8 ("misc: eeprom: at24: check suspend status before disable regulator")
a3c10035d12f ("eeprom: at24: Use dev_err_probe for nvmem register failure")]
CVE-2024-35848
Signed-off-by: Hui Wang <hui.wang at canonical.com>
---
 drivers/misc/eeprom/at24.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/misc/eeprom/at24.c b/drivers/misc/eeprom/at24.c
index 96cd8630838f..07092df45d5e 100644
--- a/drivers/misc/eeprom/at24.c
+++ b/drivers/misc/eeprom/at24.c
@@ -701,12 +701,6 @@ static int at24_probe(struct i2c_client *client)
 	pm_runtime_set_active(dev);
 	pm_runtime_enable(dev);
 
-	at24->nvmem = devm_nvmem_register(dev, &nvmem_config);
-	if (IS_ERR(at24->nvmem)) {
-		pm_runtime_disable(dev);
-		return PTR_ERR(at24->nvmem);
-	}
-
 	/*
 	 * Perform a one-byte test read to verify that the
 	 * chip is functional.
@@ -717,6 +711,12 @@ static int at24_probe(struct i2c_client *client)
 		return -ENODEV;
 	}
 
+	at24->nvmem = devm_nvmem_register(dev, &nvmem_config);
+	if (IS_ERR(at24->nvmem)) {
+		pm_runtime_disable(dev);
+		return PTR_ERR(at24->nvmem);
+	}
+
 	pm_runtime_idle(dev);
 
 	dev_info(dev, "%u byte %s EEPROM, %s, %u bytes/write\n",
-- 
2.34.1

More information about the kernel-team mailing list