| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1e782001-7f5c-623e-f4c6-6e1e0fc90598@cogentembedded.com>
Date: Mon, 15 Apr 2019 19:22:29 +0300
From: Sergei Shtylyov <sergei.shtylyov@...entembedded.com>
To: Oliver Neukum <oneukum@...e.com>,
syzbot <syzbot+26ec41e9f788b3eba396@...kaller.appspotmail.com>,
andreyknvl@...gle.com, syzkaller-bugs@...glegroups.com,
mchehab@...nel.org, corbet@....net, linux-kernel@...r.kernel.org,
linux-media@...r.kernel.org, linux-usb@...r.kernel.org
Subject: Re: KASAN: use-after-free Read in dvb_usb_device_exit
Hello!
On 04/15/2019 02:12 PM, Oliver Neukum wrote:
[...]
> From d6097d205ac61745334b79639d3b8b910ae66c71 Mon Sep 17 00:00:00 2001
> From: Oliver Neukum <oneukum@...e.com>
> Date: Mon, 15 Apr 2019 13:06:01 +0200
> Subject: [PATCH] dvb: usb: fix use after free in dvb_usb_device_exit
>
> dvb_usb_device_exit() frees and uses teh device name in that order
s/teh/the/.
> Fix by storing the name in a buffer before freeing it
>
> Signed-off-by: Oliver Neukum <oneukum@...e.com>
> Reported-by: syzbot+26ec41e9f788b3eba396@...kaller.appspotmail.com
> ---
> drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
> index 99951e02a880..2e1670cc3903 100644
> --- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
> +++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
> @@ -288,13 +288,18 @@ void dvb_usb_device_exit(struct usb_interface *intf)
> {
> struct dvb_usb_device *d = usb_get_intfdata(intf);
> const char *name = "generic DVB-USB module";
> + char identifier[40];
>
> usb_set_intfdata(intf, NULL);
> if (d != NULL && d->desc != NULL) {
> name = d->desc->name;
> + memcpy(identifier, name, 39);
> + identifier[39] = NULL;
NULL is for pointers, no?
> dvb_usb_exit(d);
> + } else {
> + memcpy(identifier, name, 39);
> }
> - info("%s successfully deinitialized and disconnected.", name);
> + info("%s successfully deinitialized and disconnected.", identifier);
>
> }
> EXPORT_SYMBOL(dvb_usb_device_exit);
MBR, Sergei
Powered by blists - more mailing lists