lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 15 Apr 2019 19:22:29 +0300
From:   Sergei Shtylyov <sergei.shtylyov@...entembedded.com>
To:     Oliver Neukum <oneukum@...e.com>,
        syzbot <syzbot+26ec41e9f788b3eba396@...kaller.appspotmail.com>,
        andreyknvl@...gle.com, syzkaller-bugs@...glegroups.com,
        mchehab@...nel.org, corbet@....net, linux-kernel@...r.kernel.org,
        linux-media@...r.kernel.org, linux-usb@...r.kernel.org
Subject: Re: KASAN: use-after-free Read in dvb_usb_device_exit

Hello!

On 04/15/2019 02:12 PM, Oliver Neukum wrote:

[...]
> From d6097d205ac61745334b79639d3b8b910ae66c71 Mon Sep 17 00:00:00 2001
> From: Oliver Neukum <oneukum@...e.com>
> Date: Mon, 15 Apr 2019 13:06:01 +0200
> Subject: [PATCH] dvb: usb: fix use after free in dvb_usb_device_exit
> 
> dvb_usb_device_exit() frees and uses teh device name in that order

   s/teh/the/.

> Fix by storing the name in a buffer before freeing it
> 
> Signed-off-by: Oliver Neukum <oneukum@...e.com>
> Reported-by: syzbot+26ec41e9f788b3eba396@...kaller.appspotmail.com
> ---
>  drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
> index 99951e02a880..2e1670cc3903 100644
> --- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
> +++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
> @@ -288,13 +288,18 @@ void dvb_usb_device_exit(struct usb_interface *intf)
>  {
>  	struct dvb_usb_device *d = usb_get_intfdata(intf);
>  	const char *name = "generic DVB-USB module";
> +	char identifier[40];
>  
>  	usb_set_intfdata(intf, NULL);
>  	if (d != NULL && d->desc != NULL) {
>  		name = d->desc->name;
> +		memcpy(identifier, name, 39);
> +		identifier[39] = NULL;

   NULL is for pointers, no?

>  		dvb_usb_exit(d);
> +	} else {
> +		memcpy(identifier, name, 39);
>  	}
> -	info("%s successfully deinitialized and disconnected.", name);
> +	info("%s successfully deinitialized and disconnected.", identifier);
>  
>  }
>  EXPORT_SYMBOL(dvb_usb_device_exit);

MBR, Sergei

Powered by blists - more mailing lists