diff options
| author | Arnd Bergmann <arnd@arndb.de> | 2017-02-02 09:36:01 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-04-21 03:31:23 -0400 |
| commit | 1992564156b5dc4ac73418e5b95e1a43f12f3cb1 (patch) | |
| tree | e3e68f87a4c3f6e84d8b7a69ef2dabcf3d9d3eac | |
| parent | de75264ee112b8c7353fc7ba13096690a6d3bcbe (diff) | |
dvb-usb-v2: avoid use-after-free
commit 005145378c9ad7575a01b6ce1ba118fb427f583a upstream.
I ran into a stack frame size warning because of the on-stack copy of
the USB device structure:
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c: In function 'dvb_usbv2_disconnect':
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:1029:1: error: the frame size of 1104 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
Copying a device structure like this is wrong for a number of other reasons
too aside from the possible stack overflow. One of them is that the
dev_info() call will print the name of the device later, but AFAICT
we have only copied a pointer to the name earlier and the actual name
has been freed by the time it gets printed.
This removes the on-stack copy of the device and instead copies the
device name using kstrdup(). I'm ignoring the possible failure here
as both printk() and kfree() are able to deal with NULL pointers.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c index a8e6624fbe83..a9bb2dde98ea 100644 --- a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c +++ b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | |||
| @@ -1013,8 +1013,8 @@ EXPORT_SYMBOL(dvb_usbv2_probe); | |||
| 1013 | void dvb_usbv2_disconnect(struct usb_interface *intf) | 1013 | void dvb_usbv2_disconnect(struct usb_interface *intf) |
| 1014 | { | 1014 | { |
| 1015 | struct dvb_usb_device *d = usb_get_intfdata(intf); | 1015 | struct dvb_usb_device *d = usb_get_intfdata(intf); |
| 1016 | const char *name = d->name; | 1016 | const char *devname = kstrdup(dev_name(&d->udev->dev), GFP_KERNEL); |
| 1017 | struct device dev = d->udev->dev; | 1017 | const char *drvname = d->name; |
| 1018 | 1018 | ||
| 1019 | dev_dbg(&d->udev->dev, "%s: bInterfaceNumber=%d\n", __func__, | 1019 | dev_dbg(&d->udev->dev, "%s: bInterfaceNumber=%d\n", __func__, |
| 1020 | intf->cur_altsetting->desc.bInterfaceNumber); | 1020 | intf->cur_altsetting->desc.bInterfaceNumber); |
| @@ -1024,8 +1024,9 @@ void dvb_usbv2_disconnect(struct usb_interface *intf) | |||
| 1024 | 1024 | ||
| 1025 | dvb_usbv2_exit(d); | 1025 | dvb_usbv2_exit(d); |
| 1026 | 1026 | ||
| 1027 | dev_info(&dev, "%s: '%s' successfully deinitialized and disconnected\n", | 1027 | pr_info("%s: '%s:%s' successfully deinitialized and disconnected\n", |
| 1028 | KBUILD_MODNAME, name); | 1028 | KBUILD_MODNAME, drvname, devname); |
| 1029 | kfree(devname); | ||
| 1029 | } | 1030 | } |
| 1030 | EXPORT_SYMBOL(dvb_usbv2_disconnect); | 1031 | EXPORT_SYMBOL(dvb_usbv2_disconnect); |
| 1031 | 1032 | ||