lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1e782001-7f5c-623e-f4c6-6e1e0fc90598@cogentembedded.com> Date: Mon, 15 Apr 2019 19:22:29 +0300 From: Sergei Shtylyov <sergei.shtylyov@...entembedded.com> To: Oliver Neukum <oneukum@...e.com>, syzbot <syzbot+26ec41e9f788b3eba396@...kaller.appspotmail.com>, andreyknvl@...gle.com, syzkaller-bugs@...glegroups.com, mchehab@...nel.org, corbet@....net, linux-kernel@...r.kernel.org, linux-media@...r.kernel.org, linux-usb@...r.kernel.org Subject: Re: KASAN: use-after-free Read in dvb_usb_device_exit Hello! On 04/15/2019 02:12 PM, Oliver Neukum wrote: [...] > From d6097d205ac61745334b79639d3b8b910ae66c71 Mon Sep 17 00:00:00 2001 > From: Oliver Neukum <oneukum@...e.com> > Date: Mon, 15 Apr 2019 13:06:01 +0200 > Subject: [PATCH] dvb: usb: fix use after free in dvb_usb_device_exit > > dvb_usb_device_exit() frees and uses teh device name in that order s/teh/the/. > Fix by storing the name in a buffer before freeing it > > Signed-off-by: Oliver Neukum <oneukum@...e.com> > Reported-by: syzbot+26ec41e9f788b3eba396@...kaller.appspotmail.com > --- > drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c > index 99951e02a880..2e1670cc3903 100644 > --- a/drivers/media/usb/dvb-usb/dvb-usb-init.c > +++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c > @@ -288,13 +288,18 @@ void dvb_usb_device_exit(struct usb_interface *intf) > { > struct dvb_usb_device *d = usb_get_intfdata(intf); > const char *name = "generic DVB-USB module"; > + char identifier[40]; > > usb_set_intfdata(intf, NULL); > if (d != NULL && d->desc != NULL) { > name = d->desc->name; > + memcpy(identifier, name, 39); > + identifier[39] = NULL; NULL is for pointers, no? > dvb_usb_exit(d); > + } else { > + memcpy(identifier, name, 39); > } > - info("%s successfully deinitialized and disconnected.", name); > + info("%s successfully deinitialized and disconnected.", identifier); > > } > EXPORT_SYMBOL(dvb_usb_device_exit); MBR, Sergei
Powered by blists - more mailing lists