lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <69886ef5.a00a0220.37c87e.0049.GAE@google.com>
Date: Sun, 08 Feb 2026 03:09:41 -0800
From: syzbot <syzbot+01d4620886bee3db0e74@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: [PATCH] media: dvb-core: fix uninit-value in dvbdmx_release_ts_feed()

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: [PATCH] media: dvb-core: fix uninit-value in dvbdmx_release_ts_feed()
Author: suunj1331@...il.com

dvb_dmx_init() allocates feed and filter arrays with vmalloc_array(),
which does not initialize the allocated memory. If an error occurs during
dvb_dmxdev_start_feed() and dvbdmx_release_ts_feed() is called on a feed
that was never properly set up, dvbdmx_release_ts_feed() reads
uninitialized fields from the feed structure, triggering a KMSAN
uninit-value warning.

Fix this by using vcalloc() instead of vmalloc_array() to ensure the
structures are zero-initialized at allocation time.

Reported-by: syzbot+01d4620886bee3db0e74@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=01d4620886bee3db0e74
Fixes: e4b21577b463 ("media: dvb-core: use vmalloc_array to simplify code")
Signed-off-by: SeungJu Cheon <suunj1331@...il.com>
---
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

 drivers/media/dvb-core/dvb_demux.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c
index 290fc7961647..5c046db122ea 100644
--- a/drivers/media/dvb-core/dvb_demux.c
+++ b/drivers/media/dvb-core/dvb_demux.c
@@ -1244,13 +1244,13 @@ int dvb_dmx_init(struct dvb_demux *dvbdemux)
 
 	dvbdemux->cnt_storage = NULL;
 	dvbdemux->users = 0;
-	dvbdemux->filter = vmalloc_array(dvbdemux->filternum,
+	dvbdemux->filter = vcalloc(dvbdemux->filternum,
 					 sizeof(struct dvb_demux_filter));
 
 	if (!dvbdemux->filter)
 		return -ENOMEM;
 
-	dvbdemux->feed = vmalloc_array(dvbdemux->feednum,
+	dvbdemux->feed = vcalloc(dvbdemux->feednum,
 				       sizeof(struct dvb_demux_feed));
 	if (!dvbdemux->feed) {
 		vfree(dvbdemux->filter);
-- 
2.52.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ