lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250626162856.176083-1-d.dulov@aladdin.ru>
Date: Thu, 26 Jun 2025 19:28:56 +0300
From: Daniil Dulov <d.dulov@...ddin.ru>
To: Mauro Carvalho Chehab <mchehab@...nel.org>
CC: Daniil Dulov <d.dulov@...ddin.ru>, <linux-media@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>, <lvc-project@...uxtesting.org>
Subject: [PATCH] media: dvb_demux: Fix potential data race in  dvbdmx_write()

The field frontend of the struct dmx_demux is protected by the lock mutex
of the struct dvb_demux while connecting or disconnecting the frontend.
However, demux->frontend is checked for NULL and then it is dereferenced
without holding the appropriate lock.

Thus, it is possible that the NULL check is passed, right after which
the other thread disconnects the frontend which leads to a NULL pointer
dereference.

To avoid this potential data race, aсquire the lock before accessing the
frontend field of the struct dmx_demux.

Found by Linux Verification Center (linuxtesting.org).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Daniil Dulov <d.dulov@...ddin.ru>
---
 drivers/media/dvb-core/dvb_demux.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c
index 7c4d86bfdd6c..b0dab6f78ad8 100644
--- a/drivers/media/dvb-core/dvb_demux.c
+++ b/drivers/media/dvb-core/dvb_demux.c
@@ -1141,9 +1141,6 @@ static int dvbdmx_write(struct dmx_demux *demux, const char __user *buf, size_t
 	struct dvb_demux *dvbdemux = (struct dvb_demux *)demux;
 	void *p;
 
-	if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE))
-		return -EINVAL;
-
 	p = memdup_user(buf, count);
 	if (IS_ERR(p))
 		return PTR_ERR(p);
@@ -1151,6 +1148,13 @@ static int dvbdmx_write(struct dmx_demux *demux, const char __user *buf, size_t
 		kfree(p);
 		return -ERESTARTSYS;
 	}
+
+	if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE)) {
+		mutex_unlock(&dvbdemux->mutex);
+		kfree(p);
+		return -EINVAL;
+	}
+
 	dvb_dmx_swfilter(dvbdemux, p, count);
 	kfree(p);
 	mutex_unlock(&dvbdemux->mutex);
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ