| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJedcCzndsT41OqWcuHKmZTeH-Mh9OvaucZ21iKS3si91JO5pw@mail.gmail.com>
Date: Thu, 13 Apr 2023 18:00:40 +0800
From: Zheng Hacker <hackerzheng666@...il.com>
To: Hans Verkuil <hverkuil@...all.nl>
Cc: Zheng Wang <zyytlz.wz@....com>,
Deborah Brouwer <deborahbrouwer3563@...il.com>,
laurent.pinchart@...asonboard.com, sakari.ailus@...ux.intel.com,
linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
alex000young@...il.com, security@...nel.org, hdanton@...a.com,
mchehab@...nel.org
Subject: Re: [PATCH v3] media: bttv: fix use after free error due to
btv->timeout timer
Hans Verkuil <hverkuil@...all.nl> 于2023年4月13日周四 17:18写道:
>
> Hi Zheng,
>
> Deb Brouwer is working on converting bttv to the vb2 framework, so I want to
> wait for that to finish before taking other bttv patches.
>
> I suspect this is still valid post-vb2 conversion, but I'm not certain.
>
> Regards,
>
> Hans
>
Hi Hans,
Thank you for your prompt response and for letting me know about the
conversion of BTTV to the vb2 framework by Deb Brouwer.
I will wait for that to finish before submitting any other BTTV patches.
Best regards,
Zheng
> On 13/04/2023 05:49, Zheng Wang wrote:
> > There may be some a race condition between timer function
> > bttv_irq_timeout and bttv_remove. The timer is setup in
> > probe and there is no timer_delete operation in remove
> > function. When it hit kfree btv, the function might still be
> > invoked, which will cause use after free bug.
> >
> > This bug is found by static analysis, it may be false positive.
> >
> > Fix it by adding del_timer_sync invoking to the remove function.
> >
> > cpu0 cpu1
> > bttv_probe
> > ->timer_setup
> > ->bttv_set_dma
> > ->mod_timer;
> > bttv_remove
> > ->kfree(btv);
> > ->bttv_irq_timeout
> > ->USE btv
> >
> > Fixes: 162e6376ac58 ("media: pci: Convert timers to use timer_setup()")
> > Signed-off-by: Zheng Wang <zyytlz.wz@....com>
> > ---
> > v3:
> > - Add Fix label
> > v2:
> > - stop replacing del_timer with del_timer_sync suggested by Hillf Danton
> > ---
> > drivers/media/pci/bt8xx/bttv-driver.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c
> > index d40b537f4e98..24ba5729969d 100644
> > --- a/drivers/media/pci/bt8xx/bttv-driver.c
> > +++ b/drivers/media/pci/bt8xx/bttv-driver.c
> > @@ -4248,6 +4248,7 @@ static void bttv_remove(struct pci_dev *pci_dev)
> >
> > /* free resources */
> > free_irq(btv->c.pci->irq,btv);
> > + del_timer_sync(&btv->timeout);
> > iounmap(btv->bt848_mmio);
> > release_mem_region(pci_resource_start(btv->c.pci,0),
> > pci_resource_len(btv->c.pci,0));
>
Powered by blists - more mailing lists