There is a UAF in c_can_pci_remove().
dev is released by free_c_can_dev() and is used by
pci_iounmap(pdev, priv->base) later.
To fix this issue, save the mmio address before releasing dev.
[ 1795.746699]
==
[ 1795.747093] BUG: KASAN:
On 3/1/21 3:45 AM, Tong Zhang wrote:
> There is a UAF in c_can_pci_remove().
> dev is released by free_c_can_dev() and is used by
> pci_iounmap(pdev, priv->base) later.
> To fix this issue, save the mmio address before releasing dev.
>
> [ 1795.746699]
> ==
2 matches
Mail list logo
