linux_dsm_epyc7002/drivers/media
Takashi Iwai 22a1e7783e xc2028: Fix use-after-free bug properly
The commit 8dfbcc4351 ("[media] xc2028: avoid use after free") tried
to address the reported use-after-free by clearing the reference.

However, it's clearing the wrong pointer; it sets NULL to
priv->ctrl.fname, but it's anyway overwritten by the next line
memcpy(&priv->ctrl, p, sizeof(priv->ctrl)).

OTOH, the actual code accessing the freed string is the strcmp() call
with priv->fname:
	if (!firmware_name[0] && p->fname &&
	    priv->fname && strcmp(p->fname, priv->fname))
		free_firmware(priv);

where priv->fname points to the previous file name, and this was
already freed by kfree().

For fixing the bug properly, this patch does the following:

- Keep the copy of firmware file name in only priv->fname,
  priv->ctrl.fname isn't changed;
- The allocation is done only when the firmware gets loaded;
- The kfree() is called in free_firmware() commonly

Fixes: commit 8dfbcc4351 ('[media] xc2028: avoid use after free')
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-11-23 21:04:26 -02:00
..
common
dvb-core
dvb-frontends gp8psk-fe: add missing MODULE_foo() macros 2016-11-14 08:43:13 -08:00
firewire
i2c rc: print correct variable for z8f0811 2016-11-11 08:45:08 -08:00
mmc
pci
platform
radio
rc
spi
tuners xc2028: Fix use-after-free bug properly 2016-11-23 21:04:26 -02:00
usb gp8psk: Fix DVB frontend attach 2016-11-13 10:02:22 -08:00
v4l2-core
cec-edid.c
Kconfig
Makefile
media-device.c
media-devnode.c
media-entity.c