diff options
| author | Lin Ma <linma@zju.edu.cn> | 2022-11-28 16:21:59 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-01-18 11:30:39 +0100 |
| commit | 75158a417a16a163446c9dbe40f330d95758ea45 (patch) | |
| tree | 1f1fa599fcc3ab8b4f22bf50bfcbb71c97b45c8d | |
| parent | 87c89b063ba6f03a1556415ada3d0ddfa044c999 (diff) | |
| download | linux-stable-75158a417a16a163446c9dbe40f330d95758ea45.tar.gz linux-stable-75158a417a16a163446c9dbe40f330d95758ea45.tar.bz2 linux-stable-75158a417a16a163446c9dbe40f330d95758ea45.zip | |
media: dvbdev: fix refcnt bug
commit 3a664569b71b0a52be5ffb9fb87cc4f83d29bd71 upstream.
Previous commit initialize the dvbdev->ref before the template copy,
which will overwrite the reference and cause refcnt bug.
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 1 at lib/refcount.c:25 refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc6-next-20221128-syzkaller #0
...
RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
RSP: 0000:ffffc900000678d0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88813ff58000 RSI: ffffffff81660e7c RDI: fffff5200000cf0c
RBP: ffff888022a45010 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823ffff000 CR3: 000000000c48e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__refcount_add include/linux/refcount.h:199 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
kref_get include/linux/kref.h:45 [inline]
dvb_device_get drivers/media/dvb-core/dvbdev.c:585 [inline]
dvb_register_device+0xe83/0x16e0 drivers/media/dvb-core/dvbdev.c:517
...
Just place the kref_init at correct position.
Reported-by: syzbot+fce48a3dd3368645bd6c@syzkaller.appspotmail.com
Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/media/dvb-core/dvbdev.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index bf527eda6f05..4676d17f3372 100644 --- a/drivers/media/dvb-core/dvbdev.c +++ b/drivers/media/dvb-core/dvbdev.c @@ -490,8 +490,8 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, return -ENOMEM; } - kref_init(&dvbdev->ref); memcpy(dvbdev, template, sizeof(struct dvb_device)); + kref_init(&dvbdev->ref); dvbdev->type = type; dvbdev->id = id; dvbdev->adapter = adap; |