lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CALbr=LaRymJY54fGc-90rCZ9YEbx_oaU4uk9YSe9vSYs1ERCXw@mail.gmail.com>
Date: Tue, 20 Jan 2026 20:13:37 +0800
From: Gui-Dong Han <hanguidong02@...il.com>
To: mchehab@...nel.org
Cc: hverkuil+cisco@...nel.org, linux-media@...r.kernel.org, 
	linux-kernel@...r.kernel.org, baijiaju1990@...il.com, stable@...r.kernel.org
Subject: Re: [PATCH] media: dvb_demux: fix potential TOCTOU race conditions

On Tue, Jan 20, 2026 at 6:41 PM Gui-Dong Han <hanguidong02@...il.com> wrote:
>
> The dvb_demux functions handle frontend connectivity without holding
> dvbdemux->mutex during checks, leading to TOCTOU race conditions. In
> dvbdmx_write(), a concurrent dvbdmx_disconnect_frontend() can set
> demux->frontend to NULL after the check, causing a potential NULL pointer
> dereference. In dvbdmx_connect_frontend(), a concurrent connection could
> set the frontend between the check and the lock. This allows the second
> caller to overwrite the existing frontend, leading to resource leaks.
> The dvb_demux module should use its own mutex to ensure thread safety
> for these internal state checks.
>
> Fix this by extending the lock scope. Move the frontend state checks
> inside the dvbdemux->mutex critical section to ensure the state remains
> stable during the operation.
>
> This possible bug was found by our experimental static analysis tool,
> which analyzes lock usage to detect TOCTOU issues.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@...r.kernel.org
> Signed-off-by: Gui-Dong Han <hanguidong02@...il.com>
> ---
>  drivers/media/dvb-core/dvb_demux.c | 21 +++++++++++++--------
>  1 file changed, 13 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c
> index 290fc7961647..e9e833285f0f 100644
> --- a/drivers/media/dvb-core/dvb_demux.c
> +++ b/drivers/media/dvb-core/dvb_demux.c
> @@ -1147,15 +1147,18 @@ static int dvbdmx_write(struct dmx_demux *demux, const char __user *buf, size_t
>         struct dvb_demux *dvbdemux = (struct dvb_demux *)demux;
>         void *p;
>
> -       if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE))
> +       if (mutex_lock_interruptible(&dvbdemux->mutex))
> +               return -ERESTARTSYS;
> +
> +       if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE)) {

I have fixed the redundant parentheses issue reported by the Media CI
robot. I missed this earlier because I ran checkpatch without the
--strict option locally.

v2 has been sent.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ