[Openipmi-developer] [PATCH stable] ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()

Brendan Jackman via Openipmi-developer Tue, 01 Jul 2025 05:23:14 -0700

From: Dan Carpenter <dan.carpen...@linaro.org>

commit fa332f5dc6fc662ad7d3200048772c96b861cf6b upstream


The "intf" list iterator is an invalid pointer if the correct
"intf->intf_num" is not found.  Calling atomic_dec(&intf->nr_users) on
and invalid pointer will lead to memory corruption.

We don't really need to call atomic_dec() if we haven't called
atomic_add_return() so update the if (intf->in_shutdown) path as well.

Fixes: 8e76741c3d8b ("ipmi: Add a limit on the number of users that may use 
IPMI")
Signed-off-by: Dan Carpenter <dan.carpen...@linaro.org>
Message-ID: <aBjMZ8RYrOt6NOgi@stanley.mountain>
Signed-off-by: Corey Minyard <co...@minyard.net>
Signed-off-by: Brendan Jackman <jackm...@google.com>
---
I have tested this in 6.12 with Google's platform drivers added to
reproduce the bug.  The bug causes the panic notifier chain to get
corrupted leading to a crash. With the fix this goes away.

Applies to 6.6 too but I haven't tested it there.

Backport changes:

- Dropped change to the `if (intf->in_shutdown)` block since that logic
  doesn't exist yet.
- Modified out_unlock to release the srcu lock instead of the mutex
  since we don't have the mutex here yet.
---
 drivers/char/ipmi/ipmi_msghandler.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/char/ipmi/ipmi_msghandler.c 
b/drivers/char/ipmi/ipmi_msghandler.c
index 
e12b531f5c2f338008a42dc2c35b0a62395c9f3c..6a4a8ecd0edd02793eda70f9f9ae578e37da477f
 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -1241,7 +1241,7 @@ int ipmi_create_user(unsigned int          if_num,
        }
        /* Not found, return an error */
        rv = -EINVAL;
-       goto out_kfree;
+       goto out_unlock;
 
  found:
        if (atomic_add_return(1, &intf->nr_users) > max_users) {
@@ -1283,6 +1283,7 @@ int ipmi_create_user(unsigned int          if_num,
 
 out_kfree:
        atomic_dec(&intf->nr_users);
+out_unlock:
        srcu_read_unlock(&ipmi_interfaces_srcu, index);
        vfree(new_user);
        return rv;

---
base-commit: 783cd2c3dca8b6c434e955b84c20c8940588dc68
change-id: 20250630-ipmi-fix-c565f7098afd

Best regards,
-- 
Brendan Jackman <jackm...@google.com>



_______________________________________________
Openipmi-developer mailing list
Openipmi-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openipmi-developer

[Openipmi-developer] [PATCH stable] ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()

Reply via email to