• Takashi Iwai's avatar
    xc2028: Fix use-after-free bug properly · 22a1e778
    Takashi Iwai authored
    The commit 8dfbcc43 ("[media] xc2028: avoid use after free") tried
    to address the reported use-after-free by clearing the reference.
    
    However, it's clearing the wrong pointer; it sets NULL to
    priv->ctrl.fname, but it's anyway overwritten by the next line
    memcpy(&priv->ctrl, p, sizeof(priv->ctrl)).
    
    OTOH, the actual code accessing the freed string is the strcmp() call
    with priv->fname:
    	if (!firmware_name[0] && p->fname &&
    	    priv->fname && strcmp(p->fname, priv->fname))
    		free_firmware(priv);
    
    where priv->fname points to the previous file name, and this was
    already freed by kfree().
    
    For fixing the bug properly, this patch does the following:
    
    - Keep the copy of firmware file name in only priv->fname,
      priv->ctrl.fname isn't changed;
    - The allocation is done only when the firmware gets loaded;
    - The kfree() is called in free_firmware() commonly
    
    Fixes: commit 8dfbcc43 ('[media] xc2028: avoid use after free')
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
    22a1e778
tuner-xc2028.c 34.6 KB