Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp3380213pxu; Mon, 30 Nov 2020 01:33:15 -0800 (PST) X-Google-Smtp-Source: ABdhPJw14Hw9T7ol1TrM17LpdwrzpBTU1PpVhYHnJyM0AVo61gNXwD1PbGGeJO4i6CeQXJtYINNA X-Received: by 2002:a17:906:4705:: with SMTP id y5mr19404152ejq.112.1606728794825; Mon, 30 Nov 2020 01:33:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606728794; cv=none; d=google.com; s=arc-20160816; b=pfbYSCcuH/OLpHoGD4e4UP1HqEuh/U+rMQWulfDrDuC6IKLgFKl1w/Cq0BEOWmflFE slfD/fVCLgG0N9KZtKO6YuXf5Q+xI8FYx2Fs9041tvSDUdI4c0l+3CH/7rDi/MXfnnXO gfaDJqLMC3enrJf3OpgVdaEY0jffPfOMpJpw81PU3+vMXBaEsMgHlJ7eNxEQ7fvsf1f7 f0stqiFgfCaNpVf7Aor5oyZL16yN3DVE2u3BnpZcO50RuXfrQHkxjMoDn3ErUeZCq5mx 3PsvLTWr9pFkcNnJQi91rCq8C3nuML6p6eItiJc2bXwWmmqXo6p7jK8ABVuW0GeDFDcE 2Gmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=DEPyJUAqo5p9wDdWSEQ6ixqioZxArfN8up4VcWsimjM=; b=b1p0XHDjdNUyzIovnXgkd7KY1H2Qq0vnaQjZMdDyue0eV1vBYnBHMNO5Nqi991C7Pt oI6Dmm6DVeA6JP7vW8hijcHxVOopKsoxUWcz3NIpLE/ROCkgPpBX+eIvIjFwrw7+8Knr b9G/sqAVblMOARKmuG58O5/iz2e36fivsDOwmBybyvBbXYwOvQWeO408rUAqCMMDsDj9 nGWkQiMIKk/0zPreLQYc7OnJId0aRDWTUnV42C29NVc17JcXPu0TU7CzNMbvvSxbFubG r2MqWgI8okmnQwj4VRR1uFmDS86Zwqw8we0wHDs37SMN1KZkVk5VknmGOo/Omqw32KI+ sMcg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s2si456394edc.33.2020.11.30.01.32.51; Mon, 30 Nov 2020 01:33:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727818AbgK3Ja6 (ORCPT + 99 others); Mon, 30 Nov 2020 04:30:58 -0500 Received: from mslow2.mail.gandi.net ([217.70.178.242]:48182 "EHLO mslow2.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728355AbgK3Jax (ORCPT ); Mon, 30 Nov 2020 04:30:53 -0500 Received: from relay8-d.mail.gandi.net (unknown [217.70.183.201]) by mslow2.mail.gandi.net (Postfix) with ESMTP id EB98E421109; Mon, 30 Nov 2020 09:30:05 +0000 (UTC) X-Originating-IP: 84.44.14.226 Received: from nexussix.ar.arcelik (unknown [84.44.14.226]) (Authenticated sender: cengiz@kernel.wtf) by relay8-d.mail.gandi.net (Postfix) with ESMTPSA id B5BC51BF210; Mon, 30 Nov 2020 09:28:57 +0000 (UTC) From: Cengiz Can To: "Daniel W . S . Almeida" , Mauro Carvalho Chehab Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Cengiz Can Subject: [PATCH] media: vidtv: fix read after free Date: Mon, 30 Nov 2020 12:28:26 +0300 Message-Id: <20201130092825.28532-1-cengiz@kernel.wtf> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org `vidtv_channel_si_destroy` function has a call to `vidtv_psi_pat_table_destroy` that frees Program Association Table. However it is followed by a loop that iterates over the count of Program Map Tables. This obviously accesses an invalid memory. Eliminate this by making a copy of num_pmt before free'ing Program Association Table and loop on it instead. Signed-off-by: Cengiz Can --- drivers/media/test-drivers/vidtv/vidtv_channel.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/media/test-drivers/vidtv/vidtv_channel.c b/drivers/media/test-drivers/vidtv/vidtv_channel.c index 8ad6c0744d36..4af39a8786a7 100644 --- a/drivers/media/test-drivers/vidtv/vidtv_channel.c +++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c @@ -503,10 +503,13 @@ int vidtv_channel_si_init(struct vidtv_mux *m) void vidtv_channel_si_destroy(struct vidtv_mux *m) { u32 i; + u16 num_pmt; + + num_pmt = m->si.pat->num_pmt; vidtv_psi_pat_table_destroy(m->si.pat); - for (i = 0; i < m->si.pat->num_pmt; ++i) + for (i = 0; i < num_pmt; ++i) vidtv_psi_pmt_table_destroy(m->si.pmt_secs[i]); kfree(m->si.pmt_secs); -- 2.29.2