lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <e784e7b8-8e18-42b5-bb0f-76cbe6af025e@xs4all.nl>
Date: Wed, 14 Feb 2024 10:13:11 +0100
From: Hans Verkuil <hverkuil-cisco@...all.nl>
To: Zhipeng Lu <alexious@....edu.cn>
Cc: Mauro Carvalho Chehab <mchehab@...nel.org>, linux-media@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] [v2] media: go7007: fix a memleak in go7007_load_encoder

On 06/02/2024 07:50, Zhipeng Lu wrote:
> In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without
> a deallocation thereafter. After the following call chain:
> 
> saa7134_go7007_init
>   |-> go7007_boot_encoder
>         |-> go7007_load_encoder
>   |-> kfree(go)
> 
> go is freed and thus bounce is leaked.
> 
> Fixes: 95ef39403f89 ("[media] go7007: remember boot firmware")
> Signed-off-by: Zhipeng Lu <alexious@....edu.cn>
> ---
> Changelog:
> 
> v2: free go->boot_fw instead of bounce
> 
> P.S. I'm sincerely apologize for sending a wrong v2 patch with no
> change applied. I forgot to add the changes to commit and missing
> it when checking. Please use this patch as the version 2.
> ---
>  drivers/media/usb/go7007/go7007-driver.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c
> index 0c24e2984304..c0a47e596339 100644
> --- a/drivers/media/usb/go7007/go7007-driver.c
> +++ b/drivers/media/usb/go7007/go7007-driver.c
> @@ -80,7 +80,7 @@ static int go7007_load_encoder(struct go7007 *go)
>  	const struct firmware *fw_entry;
>  	char fw_name[] = "go7007/go7007fw.bin";
>  	void *bounce;
> -	int fw_len, rv = 0;
> +	int fw_len;
>  	u16 intr_val, intr_data;
>  
>  	if (go->boot_fw == NULL) {
> @@ -109,9 +109,10 @@ static int go7007_load_encoder(struct go7007 *go)
>  	    go7007_read_interrupt(go, &intr_val, &intr_data) < 0 ||
>  			(intr_val & ~0x1) != 0x5a5a) {
>  		v4l2_err(go, "error transferring firmware\n");
> -		rv = -1;
> +		kfree(go->boot_fw);

I think it is best if you add this line here:

		go->boot_fw = NULL;

It makes the code more robust in case go7007_load_encoder() is called again.

Regards,

	Hans

> +		return -1;
>  	}
> -	return rv;
> +	return 0;
>  }
>  
>  MODULE_FIRMWARE("go7007/go7007fw.bin");

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ