linux/drivers/media/tuners
Takashi Iwai 22a1e7783e xc2028: Fix use-after-free bug properly
The commit 8dfbcc4351 ("[media] xc2028: avoid use after free") tried
to address the reported use-after-free by clearing the reference.

However, it's clearing the wrong pointer; it sets NULL to
priv->ctrl.fname, but it's anyway overwritten by the next line
memcpy(&priv->ctrl, p, sizeof(priv->ctrl)).

OTOH, the actual code accessing the freed string is the strcmp() call
with priv->fname:
	if (!firmware_name[0] && p->fname &&
	    priv->fname && strcmp(p->fname, priv->fname))
		free_firmware(priv);

where priv->fname points to the previous file name, and this was
already freed by kfree().

For fixing the bug properly, this patch does the following:

- Keep the copy of firmware file name in only priv->fname,
  priv->ctrl.fname isn't changed;
- The allocation is done only when the firmware gets loaded;
- The kfree() is called in free_firmware() commonly

Fixes: commit 8dfbcc4351 ('[media] xc2028: avoid use after free')
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-11-23 21:04:26 -02:00
..
e4000_priv.h [media] e4000: implement V4L2 subdevice tuner and core ops 2015-05-20 13:49:27 -03:00
e4000.c [media] tuners: Drop owner assignment from i2c_driver 2015-08-11 13:01:32 -03:00
e4000.h [media] e4000: various small changes 2015-05-20 13:48:31 -03:00
fc001x-common.h
fc0011.c
fc0011.h treewide: remove redundant #include <linux/kconfig.h> 2016-10-11 15:06:33 -07:00
fc0012-priv.h
fc0012.c
fc0012.h treewide: remove redundant #include <linux/kconfig.h> 2016-10-11 15:06:33 -07:00
fc0013-priv.h
fc0013.c [media] fc0013: remove unneeded test 2015-05-14 18:06:40 -03:00
fc0013.h treewide: remove redundant #include <linux/kconfig.h> 2016-10-11 15:06:33 -07:00
fc2580_priv.h [media] fc2580: implement V4L2 subdevice for SDR control 2015-05-18 15:58:10 -03:00
fc2580.c [media] tuners: Drop owner assignment from i2c_driver 2015-08-11 13:01:32 -03:00
fc2580.h [media] fc2580: implement V4L2 subdevice for SDR control 2015-05-18 15:58:10 -03:00
it913x.c [media] it913x: do not allow driver unbind 2016-07-08 17:01:23 -03:00
it913x.h
Kconfig [media] tuners: Make all TV tuners visible if COMPILE_TEST=y 2015-08-11 12:56:40 -03:00
m88rs6000t.c [media] tuners: Refactoring for m88rs6000t_sleep() 2016-01-25 15:15:38 -02:00
m88rs6000t.h
Makefile [media] m88ts2022: remove from Makefile 2015-04-07 08:12:06 -03:00
max2165_priv.h
max2165.c [media] tv tuner max2165 driver: extend frequency range 2015-11-19 11:19:42 -02:00
max2165.h treewide: remove redundant #include <linux/kconfig.h> 2016-10-11 15:06:33 -07:00
mc44s803_priv.h
mc44s803.c
mc44s803.h treewide: remove redundant #include <linux/kconfig.h> 2016-10-11 15:06:33 -07:00
msi001.c spi: Drop owner assignment from spi_drivers 2015-10-28 10:30:17 +09:00
mt20xx.c [media] tuners: constify dvb_tuner_ops structures 2016-09-19 16:23:21 -03:00
mt20xx.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
mt2060_priv.h
mt2060.c
mt2060.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
mt2063.c [media] tuners: constify dvb_tuner_ops structures 2016-09-19 16:23:21 -03:00
mt2063.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
mt2131_priv.h
mt2131.c
mt2131.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
mt2266.c
mt2266.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
mxl301rf.c
mxl301rf.h
mxl5005s.c
mxl5005s.h treewide: remove redundant #include <linux/kconfig.h> 2016-10-11 15:06:33 -07:00
mxl5007t.c [media] tuners: constify dvb_tuner_ops structures 2016-09-19 16:23:21 -03:00
mxl5007t.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
qm1d1c0042.c [media] em28xx: add support for PLEX PX-BCUD (ISDB-S) 2016-05-06 23:51:47 -03:00
qm1d1c0042.h
qt1010_priv.h
qt1010.c [media] qt1010: avoid going past array 2015-04-30 14:57:35 -03:00
qt1010.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
r820t.c r820t: comment out two ancillary tables 2016-06-24 12:00:02 -03:00
r820t.h treewide: remove redundant #include <linux/kconfig.h> 2016-10-11 15:06:33 -07:00
si2157_priv.h [media] si2157: detect if firmware is running 2016-05-06 10:07:45 -03:00
si2157.c [media] si2157: do not allow driver unbind 2016-07-08 16:54:54 -03:00
si2157.h treewide: remove redundant #include <linux/kconfig.h> 2016-10-11 15:06:33 -07:00
tda827x.c [media] tuners: constify dvb_tuner_ops structures 2016-09-19 16:23:21 -03:00
tda827x.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
tda8290.c
tda8290.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
tda9887.c
tda9887.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
tda18212.c [media] tuners: Drop owner assignment from i2c_driver 2015-08-11 13:01:32 -03:00
tda18212.h treewide: remove redundant #include <linux/kconfig.h> 2016-10-11 15:06:33 -07:00
tda18218_priv.h
tda18218.c
tda18218.h treewide: remove redundant #include <linux/kconfig.h> 2016-10-11 15:06:33 -07:00
tda18271-common.c
tda18271-fe.c [media] tda18271: use prefix on all printk messages 2016-09-05 15:26:28 -03:00
tda18271-maps.c
tda18271-priv.h [media] tda18271: use prefix on all printk messages 2016-09-05 15:26:28 -03:00
tda18271.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
tea5761.c [media] tuners: constify dvb_tuner_ops structures 2016-09-19 16:23:21 -03:00
tea5761.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
tea5767.c [media] tuners: constify dvb_tuner_ops structures 2016-09-19 16:23:21 -03:00
tea5767.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
tua9001_priv.h [media] tua9001: use div_u64() for frequency calculation 2015-05-18 15:55:14 -03:00
tua9001.c [media] tuners: Drop owner assignment from i2c_driver 2015-08-11 13:01:32 -03:00
tua9001.h [media] tua9001: various minor changes 2015-05-18 15:54:02 -03:00
tuner-i2c.h [media] tuner-i2c: be consistent with I2C declaration 2015-06-23 10:01:45 -03:00
tuner-simple.c [media] tuners: constify dvb_tuner_ops structures 2016-09-19 16:23:21 -03:00
tuner-simple.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
tuner-types.c
tuner-xc2028-types.h
tuner-xc2028.c xc2028: Fix use-after-free bug properly 2016-11-23 21:04:26 -02:00
tuner-xc2028.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
xc4000.c [media] xc4000: shut up a bogus smatch message 2016-02-23 07:14:02 -03:00
xc4000.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
xc5000.c [media] xc5000: fix memory corruption when unplugging device 2015-04-08 14:49:59 -03:00
xc5000.h treewide: remove redundant #include <linux/kconfig.h> 2016-10-11 15:06:33 -07:00