-
由 Chengfeng Ye 提交于
stable inclusion from stable-v4.19.242 commit 34380b5647f13fecb458fea9a3eb3d8b3a454709 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7BYU9 CVE: CVE-2023-3159 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=34380b5647f1 -------------------------------- commit b7c81f80 upstream. &e->event and e point to the same address, and &e->event could be freed in queue_event. So there is a potential uaf issue if we dereference e after calling queue_event(). Fix this by adding a temporary variable to maintain e->client in advance, this can avoid the potential uaf issue. Cc: <stable@vger.kernel.org> Signed-off-by: NChengfeng Ye <cyeaa@connect.ust.hk> Signed-off-by: NTakashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://lore.kernel.org/r/20220409041243.603210-2-o-takashi@sakamocchi.jpSigned-off-by: NTakashi Iwai <tiwai@suse.de> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com> Reviewed-by: NXiongfeng Wang <wangxiongfeng2@huawei.com> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>
160e0014