From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Hyunwoo Kim <imv4bel@gmail.com>,
kernel test robot <lkp@intel.com>,
Dan Carpenter <error27@gmail.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Ovidiu Panait <ovidiu.panait@windriver.com>
Subject: [PATCH 5.4 10/60] media: dvb-core: Fix use-after-free due to race at dvb_register_device()
Date: Mon, 26 Jun 2023 20:11:49 +0200 [thread overview]
Message-ID: <20230626180739.966123465@linuxfoundation.org> (raw)
In-Reply-To: <20230626180739.558575012@linuxfoundation.org>
From: Hyunwoo Kim <imv4bel@gmail.com>
commit 627bb528b086b4136315c25d6a447a98ea9448d3 upstream.
dvb_register_device() dynamically allocates fops with kmemdup()
to set the fops->owner.
And these fops are registered in 'file->f_ops' using replace_fops()
in the dvb_device_open() process, and kfree()d in dvb_free_device().
However, it is not common to use dynamically allocated fops instead
of 'static const' fops as an argument of replace_fops(),
and UAF may occur.
These UAFs can occur on any dvb type using dvb_register_device(),
such as dvb_dvr, dvb_demux, dvb_frontend, dvb_net, etc.
So, instead of kfree() the fops dynamically allocated in
dvb_register_device() in dvb_free_device() called during the
.disconnect() process, kfree() it collectively in exit_dvbdev()
called when the dvbdev.c module is removed.
Link: https://lore.kernel.org/linux-media/20221117045925.14297-4-imv4bel@gmail.com
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-core/dvbdev.c | 84 ++++++++++++++++++++++++++++++----------
include/media/dvbdev.h | 15 +++++++
2 files changed, 78 insertions(+), 21 deletions(-)
--- a/drivers/media/dvb-core/dvbdev.c
+++ b/drivers/media/dvb-core/dvbdev.c
@@ -37,6 +37,7 @@
#include <media/tuner.h>
static DEFINE_MUTEX(dvbdev_mutex);
+static LIST_HEAD(dvbdevfops_list);
static int dvbdev_debug;
module_param(dvbdev_debug, int, 0644);
@@ -462,14 +463,15 @@ int dvb_register_device(struct dvb_adapt
enum dvb_device_type type, int demux_sink_pads)
{
struct dvb_device *dvbdev;
- struct file_operations *dvbdevfops;
+ struct file_operations *dvbdevfops = NULL;
+ struct dvbdevfops_node *node = NULL, *new_node = NULL;
struct device *clsdev;
int minor;
int id, ret;
mutex_lock(&dvbdev_register_lock);
- if ((id = dvbdev_get_free_id (adap, type)) < 0){
+ if ((id = dvbdev_get_free_id (adap, type)) < 0) {
mutex_unlock(&dvbdev_register_lock);
*pdvbdev = NULL;
pr_err("%s: couldn't find free device id\n", __func__);
@@ -477,18 +479,45 @@ int dvb_register_device(struct dvb_adapt
}
*pdvbdev = dvbdev = kzalloc(sizeof(*dvbdev), GFP_KERNEL);
-
if (!dvbdev){
mutex_unlock(&dvbdev_register_lock);
return -ENOMEM;
}
- dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL);
+ /*
+ * When a device of the same type is probe()d more than once,
+ * the first allocated fops are used. This prevents memory leaks
+ * that can occur when the same device is probe()d repeatedly.
+ */
+ list_for_each_entry(node, &dvbdevfops_list, list_head) {
+ if (node->fops->owner == adap->module &&
+ node->type == type &&
+ node->template == template) {
+ dvbdevfops = node->fops;
+ break;
+ }
+ }
- if (!dvbdevfops){
- kfree (dvbdev);
- mutex_unlock(&dvbdev_register_lock);
- return -ENOMEM;
+ if (dvbdevfops == NULL) {
+ dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL);
+ if (!dvbdevfops) {
+ kfree(dvbdev);
+ mutex_unlock(&dvbdev_register_lock);
+ return -ENOMEM;
+ }
+
+ new_node = kzalloc(sizeof(struct dvbdevfops_node), GFP_KERNEL);
+ if (!new_node) {
+ kfree(dvbdevfops);
+ kfree(dvbdev);
+ mutex_unlock(&dvbdev_register_lock);
+ return -ENOMEM;
+ }
+
+ new_node->fops = dvbdevfops;
+ new_node->type = type;
+ new_node->template = template;
+ list_add_tail (&new_node->list_head, &dvbdevfops_list);
}
memcpy(dvbdev, template, sizeof(struct dvb_device));
@@ -499,20 +528,20 @@ int dvb_register_device(struct dvb_adapt
dvbdev->priv = priv;
dvbdev->fops = dvbdevfops;
init_waitqueue_head (&dvbdev->wait_queue);
-
dvbdevfops->owner = adap->module;
-
list_add_tail (&dvbdev->list_head, &adap->device_list);
-
down_write(&minor_rwsem);
#ifdef CONFIG_DVB_DYNAMIC_MINORS
for (minor = 0; minor < MAX_DVB_MINORS; minor++)
if (dvb_minors[minor] == NULL)
break;
-
if (minor == MAX_DVB_MINORS) {
+ if (new_node) {
+ list_del (&new_node->list_head);
+ kfree(dvbdevfops);
+ kfree(new_node);
+ }
list_del (&dvbdev->list_head);
- kfree(dvbdevfops);
kfree(dvbdev);
up_write(&minor_rwsem);
mutex_unlock(&dvbdev_register_lock);
@@ -521,41 +550,47 @@ int dvb_register_device(struct dvb_adapt
#else
minor = nums2minor(adap->num, type, id);
#endif
-
dvbdev->minor = minor;
dvb_minors[minor] = dvb_device_get(dvbdev);
up_write(&minor_rwsem);
-
ret = dvb_register_media_device(dvbdev, type, minor, demux_sink_pads);
if (ret) {
pr_err("%s: dvb_register_media_device failed to create the mediagraph\n",
__func__);
-
+ if (new_node) {
+ list_del (&new_node->list_head);
+ kfree(dvbdevfops);
+ kfree(new_node);
+ }
dvb_media_device_free(dvbdev);
list_del (&dvbdev->list_head);
- kfree(dvbdevfops);
kfree(dvbdev);
mutex_unlock(&dvbdev_register_lock);
return ret;
}
- mutex_unlock(&dvbdev_register_lock);
-
clsdev = device_create(dvb_class, adap->device,
MKDEV(DVB_MAJOR, minor),
dvbdev, "dvb%d.%s%d", adap->num, dnames[type], id);
if (IS_ERR(clsdev)) {
pr_err("%s: failed to create device dvb%d.%s%d (%ld)\n",
__func__, adap->num, dnames[type], id, PTR_ERR(clsdev));
+ if (new_node) {
+ list_del (&new_node->list_head);
+ kfree(dvbdevfops);
+ kfree(new_node);
+ }
dvb_media_device_free(dvbdev);
list_del (&dvbdev->list_head);
- kfree(dvbdevfops);
kfree(dvbdev);
+ mutex_unlock(&dvbdev_register_lock);
return PTR_ERR(clsdev);
}
+
dprintk("DVB: register adapter%d/%s%d @ minor: %i (0x%02x)\n",
adap->num, dnames[type], id, minor, minor);
+ mutex_unlock(&dvbdev_register_lock);
return 0;
}
EXPORT_SYMBOL(dvb_register_device);
@@ -584,7 +619,6 @@ static void dvb_free_device(struct kref
{
struct dvb_device *dvbdev = container_of(ref, struct dvb_device, ref);
- kfree (dvbdev->fops);
kfree (dvbdev);
}
@@ -1090,9 +1124,17 @@ error:
static void __exit exit_dvbdev(void)
{
+ struct dvbdevfops_node *node, *next;
+
class_destroy(dvb_class);
cdev_del(&dvb_device_cdev);
unregister_chrdev_region(MKDEV(DVB_MAJOR, 0), MAX_DVB_MINORS);
+
+ list_for_each_entry_safe(node, next, &dvbdevfops_list, list_head) {
+ list_del (&node->list_head);
+ kfree(node->fops);
+ kfree(node);
+ }
}
subsys_initcall(init_dvbdev);
--- a/include/media/dvbdev.h
+++ b/include/media/dvbdev.h
@@ -190,6 +190,21 @@ struct dvb_device {
};
/**
+ * struct dvbdevfops_node - fops nodes registered in dvbdevfops_list
+ *
+ * @fops: Dynamically allocated fops for ->owner registration
+ * @type: type of dvb_device
+ * @template: dvb_device used for registration
+ * @list_head: list_head for dvbdevfops_list
+ */
+struct dvbdevfops_node {
+ struct file_operations *fops;
+ enum dvb_device_type type;
+ const struct dvb_device *template;
+ struct list_head list_head;
+};
+
+/**
* dvb_device_get - Increase dvb_device reference
*
* @dvbdev: pointer to struct dvb_device
next prev parent reply other threads:[~2023-06-26 18:35 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-26 18:11 [PATCH 5.4 00/60] 5.4.249-rc1 review Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 01/60] nilfs2: reject devices with insufficient block count Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 02/60] mm: rewrite wait_on_page_bit_common() logic Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 03/60] list: add "list_del_init_careful()" to go with "list_empty_careful()" Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 04/60] epoll: ep_autoremove_wake_function should use list_del_init_careful Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 05/60] tracing: Add tracing_reset_all_online_cpus_unlocked() function Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 06/60] x86/purgatory: remove PGO flags Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 07/60] tick/common: Align tick period during sched_timer setup Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 08/60] media: dvbdev: Fix memleak in dvb_register_device Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 09/60] media: dvbdev: fix error logic at dvb_register_device() Greg Kroah-Hartman
2023-06-26 18:11 ` Greg Kroah-Hartman [this message]
2023-06-26 18:11 ` [PATCH 5.4 11/60] nilfs2: fix buffer corruption due to concurrent device reads Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 12/60] Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 13/60] PCI: hv: Fix a race condition bug in hv_pci_query_relations() Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 14/60] cgroup: Do not corrupt task iteration when rebinding subsystem Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 15/60] mmc: meson-gx: remove redundant mmc_request_done() call from irq context Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 16/60] ip_tunnels: allow VXLAN/GENEVE to inherit TOS/TTL from VLAN Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 17/60] writeback: fix dereferencing NULL mapping->host on writeback_page_template Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 18/60] nilfs2: prevent general protection fault in nilfs_clear_dirty_page() Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 19/60] cifs: Clean up DFS referral cache Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 20/60] cifs: Get rid of kstrdup_const()d paths Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 21/60] cifs: Introduce helpers for finding TCP connection Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 22/60] cifs: Merge is_path_valid() into get_normalized_path() Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 23/60] cifs: Fix potential deadlock when updating vol in cifs_reconnect() Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 24/60] x86/mm: Avoid using set_pgd() outside of real PGD pages Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 25/60] rcu: Upgrade rcu_swap_protected() to rcu_replace_pointer() Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 26/60] ieee802154: hwsim: Fix possible memory leaks Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 27/60] xfrm: Linearize the skb after offloading if needed Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 28/60] net: qca_spi: Avoid high load if QCA7000 is not available Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 29/60] mmc: mtk-sd: fix deferred probing Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 30/60] mmc: mvsdio: convert to devm_platform_ioremap_resource Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 31/60] mmc: mvsdio: fix deferred probing Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 32/60] mmc: omap: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 33/60] mmc: omap_hsmmc: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 34/60] mmc: sdhci-acpi: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 35/60] mmc: sh_mmcif: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 36/60] mmc: usdhi60rol0: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 37/60] ipvs: align inner_mac_header for encapsulation Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 38/60] net: dsa: mt7530: fix trapping frames on non-MT7621 SoC MT7530 switch Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 39/60] be2net: Extend xmit workaround to BE3 chip Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 40/60] netfilter: nf_tables: disallow element updates of bound anonymous sets Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 41/60] netfilter: nfnetlink_osf: fix module autoload Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 42/60] Revert "net: phy: dp83867: perform soft reset and retain established link" Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 43/60] sch_netem: acquire qdisc lock in netem_change() Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 44/60] scsi: target: iscsi: Prevent login threads from racing between each other Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 45/60] HID: wacom: Add error check to wacom_parse_and_register() Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 46/60] arm64: Add missing Set/Way CMO encodings Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 47/60] media: cec: core: dont set last_initiator if tx in progress Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 48/60] nfcsim.c: Fix error checking for debugfs_create_dir Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 49/60] usb: gadget: udc: fix NULL dereference in remove() Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 50/60] s390/cio: unregister device when the only path is gone Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 51/60] ASoC: nau8824: Add quirk to active-high jack-detect Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 52/60] ARM: dts: Fix erroneous ADS touchscreen polarities Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 53/60] drm/exynos: vidi: fix a wrong error return Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 54/60] drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 55/60] drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 56/60] x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 57/60] i2c: imx-lpi2c: fix type char overflow issue when calculating the clock cycle Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 58/60] mm: fix VM_BUG_ON(PageTail) and BUG_ON(PageWriteback) Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 59/60] mm: make wait_on_page_writeback() wait for multiple pending writebacks Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 60/60] xfs: verify buffer contents when we skip log replay Greg Kroah-Hartman
2023-06-27 9:04 ` [PATCH 5.4 00/60] 5.4.249-rc1 review Jon Hunter
2023-06-27 14:15 ` Harshit Mogalapalli
2023-06-27 20:10 ` Chris Paterson
2023-06-27 21:35 ` Guenter Roeck
2023-06-28 7:03 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230626180739.966123465@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=error27@gmail.com \
--cc=imv4bel@gmail.com \
--cc=lkp@intel.com \
--cc=mchehab@kernel.org \
--cc=ovidiu.panait@windriver.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).