diff options
| author | Lin Ma <linma@zju.edu.cn> | 2022-11-28 16:21:59 +0000 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab@kernel.org> | 2022-12-06 07:17:00 +0000 |
| commit | 3a664569b71b0a52be5ffb9fb87cc4f83d29bd71 (patch) | |
| tree | 1bb70a0bd6bd20f449a13d2e367ce143ca1d1f37 /drivers/media/dvb-core | |
| parent | bc0cd1080a035ea64fd141f7f8138ca5373fb47b (diff) | |
| download | linux-stable-3a664569b71b0a52be5ffb9fb87cc4f83d29bd71.tar.gz linux-stable-3a664569b71b0a52be5ffb9fb87cc4f83d29bd71.tar.bz2 linux-stable-3a664569b71b0a52be5ffb9fb87cc4f83d29bd71.zip | |
media: dvbdev: fix refcnt bug
Previous commit initialize the dvbdev->ref before the template copy,
which will overwrite the reference and cause refcnt bug.
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 1 at lib/refcount.c:25 refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc6-next-20221128-syzkaller #0
...
RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
RSP: 0000:ffffc900000678d0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88813ff58000 RSI: ffffffff81660e7c RDI: fffff5200000cf0c
RBP: ffff888022a45010 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823ffff000 CR3: 000000000c48e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__refcount_add include/linux/refcount.h:199 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
kref_get include/linux/kref.h:45 [inline]
dvb_device_get drivers/media/dvb-core/dvbdev.c:585 [inline]
dvb_register_device+0xe83/0x16e0 drivers/media/dvb-core/dvbdev.c:517
...
Just place the kref_init at correct position.
Reported-by: syzbot+fce48a3dd3368645bd6c@syzkaller.appspotmail.com
Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Diffstat (limited to 'drivers/media/dvb-core')
| -rw-r--r-- | drivers/media/dvb-core/dvbdev.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index d45673cb3ce1..2a857cf70c94 100644 --- a/drivers/media/dvb-core/dvbdev.c +++ b/drivers/media/dvb-core/dvbdev.c @@ -482,8 +482,8 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, return -ENOMEM; } - kref_init(&dvbdev->ref); memcpy(dvbdev, template, sizeof(struct dvb_device)); + kref_init(&dvbdev->ref); dvbdev->type = type; dvbdev->id = id; dvbdev->adapter = adap; |