linux/drivers/media
Takashi Iwai 22a1e7783e xc2028: Fix use-after-free bug properly
The commit 8dfbcc4351 ("[media] xc2028: avoid use after free") tried
to address the reported use-after-free by clearing the reference.

However, it's clearing the wrong pointer; it sets NULL to
priv->ctrl.fname, but it's anyway overwritten by the next line
memcpy(&priv->ctrl, p, sizeof(priv->ctrl)).

OTOH, the actual code accessing the freed string is the strcmp() call
with priv->fname:
	if (!firmware_name[0] && p->fname &&
	    priv->fname && strcmp(p->fname, priv->fname))
		free_firmware(priv);

where priv->fname points to the previous file name, and this was
already freed by kfree().

For fixing the bug properly, this patch does the following:

- Keep the copy of firmware file name in only priv->fname,
  priv->ctrl.fname isn't changed;
- The allocation is done only when the firmware gets loaded;
- The kfree() is called in free_firmware() commonly

Fixes: commit 8dfbcc4351 ('[media] xc2028: avoid use after free')
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-11-23 21:04:26 -02:00
..
common [media] v4l2-tpg-core: drop SYCC, use higher precision 601 conversion matrix 2016-08-24 08:36:11 -03:00
dvb-core [media] get rid of a number of problems at the cross references 2016-09-22 10:00:23 -03:00
dvb-frontends gp8psk-fe: add missing MODULE_foo() macros 2016-11-14 08:43:13 -08:00
firewire [media] dvb: modify core to implement interfaces/entities at MC new gen 2016-01-11 12:18:52 -02:00
i2c rc: print correct variable for z8f0811 2016-11-11 08:45:08 -08:00
mmc
pci mm: replace get_user_pages_unlocked() write/force parameters with gup_flags 2016-10-18 14:13:37 -07:00
platform mm: replace get_vaddr_frames() write/force parameters with gup_flags 2016-10-19 08:11:24 -07:00
radio [media] constify i2c_algorithm structures 2016-09-19 16:27:02 -03:00
rc media updates for v4.9-rc1 2016-10-11 13:22:22 -07:00
spi [media] gs1662: make checkpatch happy 2016-09-19 14:39:49 -03:00
tuners xc2028: Fix use-after-free bug properly 2016-11-23 21:04:26 -02:00
usb gp8psk: Fix DVB frontend attach 2016-11-13 10:02:22 -08:00
v4l2-core Merge branch 'gup_flag-cleanups' 2016-10-19 08:39:47 -07:00
cec-edid.c [media] cec-edid: check for IEEE identifier 2016-08-22 14:04:51 -03:00
Kconfig [media] media Kconfig: improve the spi integration 2016-09-19 14:37:05 -03:00
Makefile [media] Add GS1662 driver, a video serializer 2016-09-19 14:36:24 -03:00
media-device.c [media] media: Add flags to tell whether to take graph mutex for an IOCTL 2016-09-22 10:28:40 -03:00
media-devnode.c [media] media: fix media devnode ioctl/syscall and unregister race 2016-06-15 17:59:28 -03:00
media-entity.c [media] media: Move media_device link_notify operation to an ops structure 2016-09-09 11:20:09 -03:00