korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-12-15 06:55:13 +08:00
Code Issues Packages Projects Releases Wiki Activity
a574359e2e
linux/drivers/media/dvb-core
History
Chen Zhongjin a574359e2e media: dvb-core: Fix ignored return value in dvb_register_frontend() 
In dvb_register_frontend(), dvb_register_device() is possible to fail
but its return value is ignored.

It will cause use-after-free when module is removed, because in
dvb_unregister_frontend() it tries to unregister a not registered
device.

BUG: KASAN: use-after-free in dvb_remove_device+0x18b/0x1f0 [dvb_core]
Read of size 4 at addr ffff88800dff4824 by task rmmod/428
CPU: 3 PID: 428 Comm: rmmod
Call Trace:
 <TASK>
 ...
 dvb_remove_device+0x18b/0x1f0 [dvb_core]
 dvb_unregister_frontend+0x7b/0x130 [dvb_core]
 vidtv_bridge_remove+0x6e/0x160 [dvb_vidtv_bridge]
 ...

Fix this by catching return value of dvb_register_device().
However the fe->refcount can't be put to zero immediately, because
there are still modules calling dvb_frontend_detach() when
dvb_register_frontend() fails.

Link: https://lore.kernel.org/linux-media/20221108033005.169095-1-chenzhongjin@huawei.com
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
2022-11-25 10:18:03 +00:00
..
dmxdev.c media: dvb-core: Fix UAF due to refcount races at releasing 2022-11-04 16:56:43 +01:00
dvb_ca_en50221.c media: dvbdev: adopts refcnt to avoid UAF 2022-11-25 10:08:23 +00:00
dvb_demux.c media: dvb-core: remove variable n, turn for-loop to while-loop 2022-11-04 16:56:45 +01:00
dvb_frontend.c media: dvb-core: Fix ignored return value in dvb_register_frontend() 2022-11-25 10:18:03 +00:00
dvb_math.c media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
dvb_net.c media: use eth_hw_addr_set() 2021-10-28 12:46:31 +01:00
dvb_ringbuffer.c media: dvb_ringbuffer : Fix a bug in dvb_ringbuffer.c 2022-11-25 10:05:25 +00:00
dvb_vb2.c media: dvb_vb2: fix possible out of bound access 2022-09-27 10:24:44 +02:00
dvbdev.c media: dvbdev: adopts refcnt to avoid UAF 2022-11-25 10:08:23 +00:00
Kconfig media: Kconfig: cleanup VIDEO_DEV dependencies 2022-03-18 05:58:35 +01:00
Makefile media: dvb: fix DVB_MMAP symbol name 2018-02-23 05:20:01 -05:00