* [PATCHv2] dvb: usb: fix use after free in dvb_usb_device_exit
@ 2019-04-30 10:43 Oliver Neukum
2019-04-30 11:29 ` Mauro Carvalho Chehab
0 siblings, 1 reply; 2+ messages in thread
From: Oliver Neukum @ 2019-04-30 10:43 UTC (permalink / raw)
To: mchehab, linux-media; +Cc: Oliver Neukum
dvb_usb_device_exit() frees and uses the device name in that order
Fix by storing the name in a buffer before freeing it
v2: fixed style issues
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com
---
drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
index 99951e02a880..959bbdad8f00 100644
--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
+++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
@@ -288,13 +288,18 @@ void dvb_usb_device_exit(struct usb_interface *intf)
{
struct dvb_usb_device *d = usb_get_intfdata(intf);
const char *name = "generic DVB-USB module";
+ char identifier[40];
usb_set_intfdata(intf, NULL);
if (d != NULL && d->desc != NULL) {
name = d->desc->name;
+ memcpy(identifier, name, 39);
+ identifier[39] = 0;
dvb_usb_exit(d);
+ } else {
+ memcpy(identifier, name, 39);
}
- info("%s successfully deinitialized and disconnected.", name);
+ info("%s successfully deinitialized and disconnected.", identifier);
}
EXPORT_SYMBOL(dvb_usb_device_exit);
--
2.16.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCHv2] dvb: usb: fix use after free in dvb_usb_device_exit
2019-04-30 10:43 [PATCHv2] dvb: usb: fix use after free in dvb_usb_device_exit Oliver Neukum
@ 2019-04-30 11:29 ` Mauro Carvalho Chehab
0 siblings, 0 replies; 2+ messages in thread
From: Mauro Carvalho Chehab @ 2019-04-30 11:29 UTC (permalink / raw)
To: Oliver Neukum; +Cc: linux-media
Em Tue, 30 Apr 2019 12:43:58 +0200
Oliver Neukum <oneukum@suse.com> escreveu:
> dvb_usb_device_exit() frees and uses the device name in that order
> Fix by storing the name in a buffer before freeing it
>
> v2: fixed style issues
>
> Signed-off-by: Oliver Neukum <oneukum@suse.com>
> Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com
> ---
> drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
> index 99951e02a880..959bbdad8f00 100644
> --- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
> +++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
> @@ -288,13 +288,18 @@ void dvb_usb_device_exit(struct usb_interface *intf)
> {
> struct dvb_usb_device *d = usb_get_intfdata(intf);
> const char *name = "generic DVB-USB module";
I would change this to default_name;
> + char identifier[40];
And use name here, instead of identifier.
IMO, this makes easier to understand the code, as it is a common practice
to call "name" for such kind of var.
>
> usb_set_intfdata(intf, NULL);
> if (d != NULL && d->desc != NULL) {
> name = d->desc->name;
> + memcpy(identifier, name, 39);
> + identifier[39] = 0;
Please use instead (considering the rename I proposed before):
strscpy(name, d->desc->name, sizeof(name));
> dvb_usb_exit(d);
> + } else {
> + memcpy(identifier, name, 39);
And here:
strscpy(name, default_name, sizeof(name));
> }
> - info("%s successfully deinitialized and disconnected.", name);
> + info("%s successfully deinitialized and disconnected.", identifier);
Dropping this change.
>
> }
> EXPORT_SYMBOL(dvb_usb_device_exit);
Thanks,
Mauro
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-04-30 11:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-30 10:43 [PATCHv2] dvb: usb: fix use after free in dvb_usb_device_exit Oliver Neukum
2019-04-30 11:29 ` Mauro Carvalho Chehab
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.