linux/drivers/media
Wang Hai ab599eb118 media: dmxdev: fix UAF when dvb_register_device() fails
I got a use-after-free report:

dvbdev: dvb_register_device: failed to create device dvb1.dvr0 (-12)
...
==================================================================
BUG: KASAN: use-after-free in dvb_dmxdev_release+0xce/0x2f0
...
Call Trace:
 dump_stack_lvl+0x6c/0x8b
 print_address_description.constprop.0+0x48/0x70
 kasan_report.cold+0x82/0xdb
 __asan_load4+0x6b/0x90
 dvb_dmxdev_release+0xce/0x2f0
...
Allocated by task 7666:
 kasan_save_stack+0x23/0x50
 __kasan_kmalloc+0x83/0xa0
 kmem_cache_alloc_trace+0x22e/0x470
 dvb_register_device+0x12f/0x980
 dvb_dmxdev_init+0x1f3/0x230
...
Freed by task 7666:
 kasan_save_stack+0x23/0x50
 kasan_set_track+0x20/0x30
 kasan_set_free_info+0x24/0x40
 __kasan_slab_free+0xf2/0x130
 kfree+0xd1/0x5c0
 dvb_register_device.cold+0x1ac/0x1fa
 dvb_dmxdev_init+0x1f3/0x230
...

When dvb_register_device() in dvb_dmxdev_init() fails, dvb_dmxdev_init()
does not return a failure, and the memory pointed to by dvbdev or
dvr_dvbdev is invalid at this point. If they are used subsequently, it
will result in UFA or null-ptr-deref.

If dvb_register_device() in dvb_dmxdev_init() fails, fix the bug by making
dvb_dmxdev_init() return an error as well.

Link: https://lore.kernel.org/linux-media/20211015085741.1203283-1-wanghai38@huawei.com

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
2021-11-19 15:17:57 +00:00
..
cec media: CEC: keep related menu entries together 2021-10-05 09:39:32 +02:00
common media: videobuf2: Fix the size printk format 2021-11-15 08:11:31 +00:00
dvb-core media: dmxdev: fix UAF when dvb_register_device() fails 2021-11-19 15:17:57 +00:00
dvb-frontends Merge branch 'akpm' (patches from Andrew) 2021-11-09 10:11:53 -08:00
firewire media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt() 2021-09-30 10:07:54 +02:00
i2c media: dw9768: activate runtime PM and turn off device 2021-11-15 08:11:34 +00:00
mc media: Request API is no longer experimental 2021-09-30 10:07:55 +02:00
mmc media updates for v5.8-rc1 2020-06-03 20:59:38 -07:00
pci media: tw5864: Disable PCI device when finished 2021-11-15 08:12:01 +00:00
platform media: coda: V4L2_PIX_FMT_GREY for coda960 JPEG Encoder 2021-11-19 06:10:06 +00:00
radio media: si470x: Avoid card name truncation 2021-09-30 10:08:00 +02:00
rc media: redrat3: fix control-message timeouts 2021-11-19 06:04:16 +00:00
spi media: cxd2880-spi: Fix a null pointer dereference on error handling path 2021-09-30 10:07:40 +02:00
test-drivers media: vidtv: move kfree(dvb) to vidtv_bridge_dev_release() 2021-10-19 08:08:19 +01:00
tuners Linux 5.15-rc4 2021-10-04 07:52:13 +02:00
usb media: stk1160: fix control-message timeouts 2021-11-19 06:08:52 +00:00
v4l2-core media: v4l2-ioctl.c: readbuffers depends on V4L2_CAP_READWRITE 2021-11-15 08:12:04 +00:00
Kconfig media: correct MEDIA_TEST_SUPPORT help text 2021-11-15 08:12:06 +00:00
Makefile media: media/test_drivers: rename to test-drivers 2020-04-16 10:38:31 +02:00