lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20250406165802.100305-1-superman.xpt@gmail.com>
Date: Sun,  6 Apr 2025 09:58:02 -0700
From: Penglei Jiang <superman.xpt@...il.com>
To: mchehab@...nel.org
Cc: standback@....com,
	linux-media@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Penglei Jiang <superman.xpt@...il.com>
Subject: [PATCH] media: dmxdev: fix repeated initialization of ringbuffer in dvb_dvr_open()

The dvb_dvr_open() function has an issue where it repeatedly
initializes the data and queue fields of the dvb_ringbuffer.
We should not reinitialize the queue field in the open function,
and if the data field is not empty, the initialization process
should be skipped.

Reported-by: syzbot+4e21d5f67b886a692b55@...kaller.appspotmail.com
Closes: https://lore.kernel.org/all/67917ed8.050a0220.15cac.02eb.GAE@google.com
Tested-by: Jianzhou Zhao <xnxc22xnxc22@...com>
Signed-off-by: Penglei Jiang <superman.xpt@...il.com>
---
 drivers/media/dvb-core/dmxdev.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index 6063782e937a..82fd060430cd 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -113,6 +113,17 @@ static struct dmx_frontend *get_fe(struct dmx_demux *demux, int type)
 	return NULL;
 }
 
+static void dvb_ringbuffer_init_noqueue(struct dvb_ringbuffer *ringbuffer,
+		void *data, size_t len)
+{
+	ringbuffer->pread = 0;
+	ringbuffer->pwrite = 0;
+	ringbuffer->data = data;
+	ringbuffer->size = len;
+	ringbuffer->error = 0;
+	spin_lock_init(&(ringbuffer->lock));
+}
+
 static int dvb_dvr_open(struct inode *inode, struct file *file)
 {
 	struct dvb_device *dvbdev = file->private_data;
@@ -156,7 +167,7 @@ static int dvb_dvr_open(struct inode *inode, struct file *file)
 		}
 	}
 
-	if (need_ringbuffer) {
+	if (need_ringbuffer && !dmxdev->dvr_buffer.data) {
 		void *mem;
 
 		if (!dvbdev->readers) {
@@ -168,7 +179,8 @@ static int dvb_dvr_open(struct inode *inode, struct file *file)
 			mutex_unlock(&dmxdev->mutex);
 			return -ENOMEM;
 		}
-		dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE);
+		dvb_ringbuffer_init_noqueue(
+			&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE);
 		if (dmxdev->may_do_mmap)
 			dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr",
 				     file->f_flags & O_NONBLOCK);
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ