| Message ID | 20190430121607.4279-1-oneukum@suse.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [PATCHv3] dvb: usb: fix use after free in dvb_usb_device_exit | expand |
Em Tue, 30 Apr 2019 14:16:07 +0200 Oliver Neukum <oneukum@suse.com> escreveu: > dvb_usb_device_exit() frees and uses the device name in that order > Fix by storing the name in a buffer before freeing it > > v2: fixed style issues > v3: strscpy used and variable names changed > > Signed-off-by: Oliver Neukum <oneukum@suse.com> > Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com > --- > drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c > index 99951e02a880..48d17736db5d 100644 > --- a/drivers/media/usb/dvb-usb/dvb-usb-init.c > +++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c > @@ -287,12 +287,15 @@ EXPORT_SYMBOL(dvb_usb_device_init); > void dvb_usb_device_exit(struct usb_interface *intf) > { > struct dvb_usb_device *d = usb_get_intfdata(intf); > - const char *name = "generic DVB-USB module"; > + const char *default_name = "generic DVB-USB module"; > + char name[40]; > > usb_set_intfdata(intf, NULL); > if (d != NULL && d->desc != NULL) { > - name = d->desc->name; > + strscpy(name, d->desc->name, sizeof(name)); > dvb_usb_exit(d); > + } else { > + memcpy(name, default_name, sizeof(name)); Please use strscpy() here too, as we're using it everywhere when a string requires copy inside media. > } > info("%s successfully deinitialized and disconnected.", name); > Thanks, Mauro
diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c index 99951e02a880..48d17736db5d 100644 --- a/drivers/media/usb/dvb-usb/dvb-usb-init.c +++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c @@ -287,12 +287,15 @@ EXPORT_SYMBOL(dvb_usb_device_init); void dvb_usb_device_exit(struct usb_interface *intf) { struct dvb_usb_device *d = usb_get_intfdata(intf); - const char *name = "generic DVB-USB module"; + const char *default_name = "generic DVB-USB module"; + char name[40]; usb_set_intfdata(intf, NULL); if (d != NULL && d->desc != NULL) { - name = d->desc->name; + strscpy(name, d->desc->name, sizeof(name)); dvb_usb_exit(d); + } else { + memcpy(name, default_name, sizeof(name)); } info("%s successfully deinitialized and disconnected.", name);
dvb_usb_device_exit() frees and uses the device name in that order Fix by storing the name in a buffer before freeing it v2: fixed style issues v3: strscpy used and variable names changed Signed-off-by: Oliver Neukum <oneukum@suse.com> Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com --- drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)