Hello!
On 04/15/2019 02:12 PM, Oliver Neukum wrote:
[...]
> From d6097d205ac61745334b79639d3b8b910ae66c71 Mon Sep 17 00:00:00 2001
> From: Oliver Neukum <oneukum@xxxxxxxx>
> Date: Mon, 15 Apr 2019 13:06:01 +0200
> Subject: [PATCH] dvb: usb: fix use after free in dvb_usb_device_exit
>
> dvb_usb_device_exit() frees and uses teh device name in that order
s/teh/the/.
> Fix by storing the name in a buffer before freeing it
>
> Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx>
> Reported-by: syzbot+26ec41e9f788b3eba396@xxxxxxxxxxxxxxxxxxxxxxxxx
> ---
> drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
> index 99951e02a880..2e1670cc3903 100644
> --- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
> +++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
> @@ -288,13 +288,18 @@ void dvb_usb_device_exit(struct usb_interface *intf)
> {
> struct dvb_usb_device *d = usb_get_intfdata(intf);
> const char *name = "generic DVB-USB module";
> + char identifier[40];
>
> usb_set_intfdata(intf, NULL);
> if (d != NULL && d->desc != NULL) {
> name = d->desc->name;
> + memcpy(identifier, name, 39);
> + identifier[39] = NULL;
NULL is for pointers, no?
> dvb_usb_exit(d);
> + } else {
> + memcpy(identifier, name, 39);
> }
> - info("%s successfully deinitialized and disconnected.", name);
> + info("%s successfully deinitialized and disconnected.", identifier);
>
> }
> EXPORT_SYMBOL(dvb_usb_device_exit);
MBR, Sergei
