mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-27 21:03:32 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/media
History
Lin Ma c850254fb5 media: dvbdev: fix refcnt bug 
commit 3a664569b7 upstream.

Previous commit initialize the dvbdev->ref before the template copy,
which will overwrite the reference and cause refcnt bug.

refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 1 at lib/refcount.c:25 refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc6-next-20221128-syzkaller #0
...
RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
RSP: 0000:ffffc900000678d0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88813ff58000 RSI: ffffffff81660e7c RDI: fffff5200000cf0c
RBP: ffff888022a45010 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823ffff000 CR3: 000000000c48e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __refcount_add include/linux/refcount.h:199 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 kref_get include/linux/kref.h:45 [inline]
 dvb_device_get drivers/media/dvb-core/dvbdev.c:585 [inline]
 dvb_register_device+0xe83/0x16e0 drivers/media/dvb-core/dvbdev.c:517
...

Just place the kref_init at correct position.

Reported-by: syzbot+fce48a3dd3368645bd6c@syzkaller.appspotmail.com
Fixes: 0fc044b2b5 ("media: dvbdev: adopts refcnt to avoid UAF")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-12-31 13:26:53 +01:00
..
cec media: platform: cros-ec: Add Kuldax to the match table 2022-11-10 18:17:23 +01:00
common media: videobuf2-core: take mmap_lock in vb2_get_unmapped_area() 2022-12-14 11:40:51 +01:00
dvb-core media: dvbdev: fix refcnt bug 2022-12-31 13:26:53 +01:00
dvb-frontends media: dvb-frontends: fix leak of memory fw 2022-12-31 13:26:45 +01:00
firewire
i2c media: ov5640: set correct default link frequency 2022-12-31 13:26:09 +01:00
mc media: mc-entity: Add a new helper function to get a remote pad for a pad 2022-07-17 11:23:51 +01:00
mmc media: media/*/Kconfig: sort entries 2022-03-18 05:58:35 +01:00
pci media: saa7164: fix missing pci_disable_device() 2022-12-31 13:26:09 +01:00
platform media: mediatek: vcodec: Can't set dst buffer to done when lat decode error 2022-12-31 13:26:45 +01:00
radio media: si470x: Fix use-after-free in si470x_int_in_callback() 2022-12-31 13:26:46 +01:00
rc media: imon: fix a race condition in send_packet() 2022-12-31 13:26:02 +01:00
spi media updates for v5.18-rc1 2022-03-23 14:51:35 -07:00
test-drivers media: vimc: Fix wrong function called when vimc_init() fails 2022-12-31 13:26:02 +01:00
tuners media: si2157: unknown chip version Si2147-A30 ROM 0x50 2022-04-09 17:45:49 +02:00
usb media: dvb-usb: fix memory leak in dvb_usb_adapter_init() 2022-12-31 13:26:45 +01:00
v4l2-core media: v4l2-ctrls-api.c: add back dropped ctrl->is_new = 1 2022-12-31 13:26:37 +01:00
Kconfig media: Kconfig: cleanup VIDEO_DEV dependencies 2022-03-18 05:58:35 +01:00
Makefile