media: dvb-core: Fix use-after-free due on race condition at dvb_net
stable inclusion from stable-v4.19.285 commit 7bb9c6e05efcecb15b0354d574efbc36ca321d75 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I635JD CVE: CVE-2022-45886 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7bb9c6e05efcecb15b0354d574efbc36ca321d75 -------------------------------- [ Upstream commit 4172385b ] A race condition may occur between the .disconnect function, which is called when the device is disconnected, and the dvb_device_open() function, which is called when the device node is open()ed. This results in several types of UAFs. The root cause of this is that you use the dvb_device_open() function, which does not implement a conditional statement that checks 'dvbnet->exit'. So, add 'remove_mutex` to protect 'dvbnet->exit' and use locked_dvb_net_open() function to check 'dvbnet->exit'. [mchehab: fix a checkpatch warning] Link: https://lore.kernel.org/linux-media/20221117045925.14297-3-imv4bel@gmail.com Signed-off-by:Hyunwoo Kim <imv4bel@gmail.com> Signed-off-by:
Loading
Please sign in to comment