lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <67D8F9B1-3121-469A-8F50-952BD4C0C99F@collabora.com>
Date: Thu, 4 Sep 2025 16:09:56 -0300
From: Daniel Almeida <daniel.almeida@...labora.com>
To: Jeongjun Park <aha310510@...il.com>
Cc: mchehab@...nel.org,
 linux-media@...r.kernel.org,
 linux-kernel@...r.kernel.org,
 stable@...r.kernel.org,
 syzbot+1d9c0edea5907af239e0@...kaller.appspotmail.com
Subject: Re: [PATCH v2 RESEND] media: vidtv: initialize local pointers upon
 transfer of memory ownership

Hi Jeongjun,

You’re resending this, but there were comments on v2.

If you’ve taken steps to address them, please send a v3 instead.

> On 4 Sep 2025, at 02:40, Jeongjun Park <aha310510@...il.com> wrote:
> 
> vidtv_channel_si_init() creates a temporary list (program, service, event)
> and ownership of the memory itself is transferred to the PAT/SDT/EIT
> tables through vidtv_psi_pat_program_assign(),
> vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().
> 
> The problem here is that the local pointer where the memory ownership
> transfer was completed is not initialized to NULL. This causes the
> vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and
> in the flow that jumps to free_eit, the memory that was freed by
> vidtv_psi_*_table_destroy() can be accessed again by
> vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it
> is freed once again.
> 
> Therefore, to prevent use-after-free and double-free vuln, local pointers

Please do not use “vuln” instead of vulnerability.

> must be initialized to NULL when transferring memory ownership.
> 
> Cc: <stable@...r.kernel.org>
> Reported-by: syzbot+1d9c0edea5907af239e0@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=1d9c0edea5907af239e0
> Fixes: 3be8037960bc ("media: vidtv: add error checks")
> Signed-off-by: Jeongjun Park <aha310510@...il.com>
> ---
> v2: Improved patch description wording and CC stable mailing list
> - Link to v1: https://lore.kernel.org/all/20250822065849.1145572-1-aha310510@gmail.com/
> ---
> drivers/media/test-drivers/vidtv/vidtv_channel.c | 3 +++
> 1 file changed, 3 insertions(+)

— Daniel


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ