korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-12-22 10:34:55 +08:00
Code Issues Packages Projects Releases Wiki Activity
e70fefdc2e
linux/drivers/media/dvb-core
History
Lin Ma 3a664569b7 media: dvbdev: fix refcnt bug 
Previous commit initialize the dvbdev->ref before the template copy,
which will overwrite the reference and cause refcnt bug.

refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 1 at lib/refcount.c:25 refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc6-next-20221128-syzkaller #0
...
RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
RSP: 0000:ffffc900000678d0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88813ff58000 RSI: ffffffff81660e7c RDI: fffff5200000cf0c
RBP: ffff888022a45010 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823ffff000 CR3: 000000000c48e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __refcount_add include/linux/refcount.h:199 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 kref_get include/linux/kref.h:45 [inline]
 dvb_device_get drivers/media/dvb-core/dvbdev.c:585 [inline]
 dvb_register_device+0xe83/0x16e0 drivers/media/dvb-core/dvbdev.c:517
...

Just place the kref_init at correct position.

Reported-by: syzbot+fce48a3dd3368645bd6c@syzkaller.appspotmail.com
Fixes: 0fc044b2b5 ("media: dvbdev: adopts refcnt to avoid UAF")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
2022-12-06 07:17:00 +00:00
..
dmxdev.c media: dvb-core: Fix UAF due to refcount races at releasing 2022-11-04 16:56:43 +01:00
dvb_ca_en50221.c media: dvbdev: adopts refcnt to avoid UAF 2022-11-25 10:08:23 +00:00
dvb_demux.c media: dvb-core: remove variable n, turn for-loop to while-loop 2022-11-04 16:56:45 +01:00
dvb_frontend.c media: dvb-core: Fix ignored return value in dvb_register_frontend() 2022-11-25 10:18:03 +00:00
dvb_math.c media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
dvb_net.c media: use eth_hw_addr_set() 2021-10-28 12:46:31 +01:00
dvb_ringbuffer.c media: dvb_ringbuffer : Fix a bug in dvb_ringbuffer.c 2022-11-25 10:05:25 +00:00
dvb_vb2.c media: dvb_vb2: fix possible out of bound access 2022-09-27 10:24:44 +02:00
dvbdev.c media: dvbdev: fix refcnt bug 2022-12-06 07:17:00 +00:00
Kconfig media: Kconfig: cleanup VIDEO_DEV dependencies 2022-03-18 05:58:35 +01:00
Makefile media: dvb: fix DVB_MMAP symbol name 2018-02-23 05:20:01 -05:00