• Muchun Song's avatar
    gpiolib: Fix possible use after free on label · 4672971c
    Muchun Song authored
    [ Upstream commit 18534df4 ]
    gpiod_request_commit() copies the pointer to the label passed as
    an argument only to be used later. But there's a chance the caller
    could immediately free the passed string(e.g., local variable).
    This could trigger a use after free when we use gpio label(e.g.,
    gpiochip_unlock_as_irq(), gpiochip_is_requested()).
    To be on the safe side: duplicate the string with kstrdup_const()
    so that if an unaware user passes an address to a stack-allocated
    buffer, we won't get the arbitrary label.
    Also fix gpiod_set_consumer_name().
    Signed-off-by: default avatarMuchun Song <smuchun@gmail.com>
    Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
gpiolib.c 127 KB