stuartl/linux-mainline
1
0
Fork 0
mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux synced 2025-10-29 18:20:30 +10:00
Code Issues Releases Wiki Activity
63773d2b59
linux-mainline/include/media
History
Hyunwoo Kim 627bb528b0 media: dvb-core: Fix use-after-free due to race at dvb_register_device() 
dvb_register_device() dynamically allocates fops with kmemdup()
to set the fops->owner.
And these fops are registered in 'file->f_ops' using replace_fops()
in the dvb_device_open() process, and kfree()d in dvb_free_device().

However, it is not common to use dynamically allocated fops instead
of 'static const' fops as an argument of replace_fops(),
and UAF may occur.
These UAFs can occur on any dvb type using dvb_register_device(),
such as dvb_dvr, dvb_demux, dvb_frontend, dvb_net, etc.

So, instead of kfree() the fops dynamically allocated in
dvb_register_device() in dvb_free_device() called during the
.disconnect() process, kfree() it collectively in exit_dvbdev()
called when the dvbdev.c module is removed.

Link: https://lore.kernel.org/linux-media/20221117045925.14297-4-imv4bel@gmail.com
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
2023-05-14 06:30:58 +01:00
..
davinci media updates for v6.3-rc1 2023-02-26 11:47:26 -08:00
drv-intf media: saa7146: convert to vb2 2023-04-15 08:53:31 +01:00
i2c media: i2c: Drop unused sr030pc30 camera sensor driver 2023-04-15 09:56:49 +01:00
tpg
cec-notifier.h
cec-pin.h
cec.h
demux.h
dmxdev.h
dvb_ca_en50221.h
dvb_demux.h
dvb_frontend.h media: dvb-core: Fix use-after-free on race condition at dvb_frontend 2023-05-14 06:30:23 +01:00
dvb_math.h
dvb_net.h media: dvb-core: Fix use-after-free due on race condition at dvb_net 2023-05-14 06:30:45 +01:00
dvb_ringbuffer.h
dvb_vb2.h
dvb-usb-ids.h
dvbdev.h media: dvb-core: Fix use-after-free due to race at dvb_register_device() 2023-05-14 06:30:58 +01:00
frame_vector.h
imx.h
media-dev-allocator.h
media-device.h media: mc-device: remove unnecessary __must_check 2023-04-11 18:54:01 +02:00
media-devnode.h
media-entity.h
media-request.h
mipi-csi2.h
ov_16bit_addr_reg_helpers.h
rc-core.h
rc-map.h media: rc: add Beelink Mini MXIII keymap 2023-03-19 22:21:54 +01:00
rcar-fcp.h
tuner-types.h
tuner.h
tveeprom.h media: drop unnecessary networking includes 2023-03-19 22:50:06 +01:00
v4l2-async.h
v4l2-common.h
v4l2-ctrls.h media: v4l2-ctrls: Fix doc for v4l2_ctrl_request_hdl_find 2023-03-20 16:21:47 +01:00
v4l2-dev.h
v4l2-device.h
v4l2-dv-timings.h
v4l2-event.h
v4l2-fh.h
v4l2-flash-led-class.h
v4l2-fwnode.h
v4l2-h264.h
v4l2-image-sizes.h
v4l2-ioctl.h
v4l2-jpeg.h
v4l2-mc.h media: Accept non-subdev sinks in v4l2_create_fwnode_links_to_pad() 2023-04-11 18:54:01 +02:00
v4l2-mediabus.h
v4l2-mem2mem.h
v4l2-rect.h
v4l2-subdev.h media: v4l2-subdev: Add new ioctl for client capabilities 2023-04-15 08:58:41 +01:00
v4l2-vp9.h
videobuf2-core.h
videobuf2-dma-contig.h
videobuf2-dma-sg.h
videobuf2-dvb.h
videobuf2-memops.h
videobuf2-v4l2.h
videobuf2-vmalloc.h
videobuf-core.h
videobuf-dma-contig.h
videobuf-dma-sg.h
videobuf-vmalloc.h
vsp1.h