media: dvb: usb: fix use after free in dvb_usb_device_exit [Linux 4.4.187]

This Linux kernel change "media: dvb: usb: fix use after free in dvb_usb_device_exit" is included in the Linux 4.4.187 release. This change is authored by Oliver Neukum <oneukum [at] suse.com> on Tue Apr 30 09:07:36 2019 -0400. The commit for this change in Linux stable tree is 7e95655 (patch) which is from upstream commit 6cf9723. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 6cf9723.

media: dvb: usb: fix use after free in dvb_usb_device_exit

[ Upstream commit 6cf97230cd5f36b7665099083272595c55d72be7 ]

dvb_usb_device_exit() frees and uses the device name in that order.
Fix by storing the name in a buffer before freeing it.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

There are 7 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
index 1adf325..97a89ef 100644
--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
+++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
@@ -286,12 +286,15 @@ int dvb_usb_device_init(struct usb_interface *intf,
 void dvb_usb_device_exit(struct usb_interface *intf)
 {
    struct dvb_usb_device *d = usb_get_intfdata(intf);
-   const char *name = "generic DVB-USB module";
+   const char *default_name = "generic DVB-USB module";
+   char name[40];

    usb_set_intfdata(intf, NULL);
    if (d != NULL && d->desc != NULL) {
-       name = d->desc->name;
+       strscpy(name, d->desc->name, sizeof(name));
        dvb_usb_exit(d);
+   } else {
+       strscpy(name, default_name, sizeof(name));
    }
    info("%s successfully deinitialized and disconnected.", name);

Leave a Reply

Your email address will not be published. Required fields are marked *