| Message ID | 20190430104358.8526-1-oneukum@suse.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [PATCHv2] dvb: usb: fix use after free in dvb_usb_device_exit | expand |
Em Tue, 30 Apr 2019 12:43:58 +0200 Oliver Neukum <oneukum@suse.com> escreveu: > dvb_usb_device_exit() frees and uses the device name in that order > Fix by storing the name in a buffer before freeing it > > v2: fixed style issues > > Signed-off-by: Oliver Neukum <oneukum@suse.com> > Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com > --- > drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c > index 99951e02a880..959bbdad8f00 100644 > --- a/drivers/media/usb/dvb-usb/dvb-usb-init.c > +++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c > @@ -288,13 +288,18 @@ void dvb_usb_device_exit(struct usb_interface *intf) > { > struct dvb_usb_device *d = usb_get_intfdata(intf); > const char *name = "generic DVB-USB module"; I would change this to default_name; > + char identifier[40]; And use name here, instead of identifier. IMO, this makes easier to understand the code, as it is a common practice to call "name" for such kind of var. > > usb_set_intfdata(intf, NULL); > if (d != NULL && d->desc != NULL) { > name = d->desc->name; > + memcpy(identifier, name, 39); > + identifier[39] = 0; Please use instead (considering the rename I proposed before): strscpy(name, d->desc->name, sizeof(name)); > dvb_usb_exit(d); > + } else { > + memcpy(identifier, name, 39); And here: strscpy(name, default_name, sizeof(name)); > } > - info("%s successfully deinitialized and disconnected.", name); > + info("%s successfully deinitialized and disconnected.", identifier); Dropping this change. > > } > EXPORT_SYMBOL(dvb_usb_device_exit); Thanks, Mauro
diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c index 99951e02a880..959bbdad8f00 100644 --- a/drivers/media/usb/dvb-usb/dvb-usb-init.c +++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c @@ -288,13 +288,18 @@ void dvb_usb_device_exit(struct usb_interface *intf) { struct dvb_usb_device *d = usb_get_intfdata(intf); const char *name = "generic DVB-USB module"; + char identifier[40]; usb_set_intfdata(intf, NULL); if (d != NULL && d->desc != NULL) { name = d->desc->name; + memcpy(identifier, name, 39); + identifier[39] = 0; dvb_usb_exit(d); + } else { + memcpy(identifier, name, 39); } - info("%s successfully deinitialized and disconnected.", name); + info("%s successfully deinitialized and disconnected.", identifier); } EXPORT_SYMBOL(dvb_usb_device_exit);
dvb_usb_device_exit() frees and uses the device name in that order Fix by storing the name in a buffer before freeing it v2: fixed style issues Signed-off-by: Oliver Neukum <oneukum@suse.com> Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com --- drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)