Headline
CVE-2023-31081: BUG: general protection fault in vidtv_mux_stop_thread
An issue was discovered in drivers/media/test-drivers/vidtv/vidtv_bridge.c in the Linux kernel 6.2. There is a NULL pointer dereference in vidtv_mux_stop_thread. In vidtv_stop_streaming, after dvb->mux=NULL occurs, it executes vidtv_mux_stop_thread(dvb->mux).
From: Yu Hao [email protected] To: [email protected], [email protected], [email protected], [email protected] Subject: BUG: general protection fault in vidtv_mux_stop_thread Date: Mon, 17 Apr 2023 21:20:46 -0700 [thread overview] Message-ID: CA+UBctDXyiosaiR7YNKCs8k0aWu4gU+YutRcnC+TDJkXpHjQag@mail.gmail.com (raw)
Hello,
We found the following issue using syzkaller on Linux v6.2.0.
It seems to be a currency bug. In the function `vidtv_stop_streaming`, after `dvb->mux = NULL;` was executed, it executes `vidtv_mux_stop_thread(dvb->mux);` again. Need to check the `dvb->mux==NULL` before `vidtv_mux_stop_thread(dvb->mux);` in function `vidtv_stop_streaming`
The full report including the Syzkaller reproducer: https://gist.github.com/ZHYfeng/c61f87ed42d4c44344d4addefd81cc1f
The brief report is below:
Syzkaller hit ‘general protection fault in vidtv_mux_stop_thread’ bug.
general protection fault, probably for non-canonical address 0xdffffc0000000025: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f] CPU: 0 PID: 9614 Comm: syz-executor.0 Not tainted 6.2.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:vidtv_mux_stop_thread+0x27/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471 Code: 00 00 00 0f 1f 44 00 00 55 53 48 89 fb e8 51 23 b2 fa 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8 RSP: 0018:ffffc900068ffca0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff86cec666 RDX: 0000000000000025 RSI: ffff888020378000 RDI: 0000000000000128 RBP: ffff888019d652f8 R08: 0000000000000000 R09: fffffbfff1ce4fab R10: ffffc900068ffcb8 R11: fffffbfff1ce4faa R12: ffff888019d65260 R13: ffffffff8dc6f3c0 R14: ffffc9000713a6c0 R15: ffff888019d64a70 FS: 0000555555b72940(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555555c00d88 CR3: 000000001e832000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline] vidtv_stop_feed+0x14e/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252 dmx_section_feed_stop_filtering+0x91/0x150 drivers/media/dvb-core/dvb_demux.c:1000 dvb_dmxdev_feed_stop+0x203/0x280 drivers/media/dvb-core/dmxdev.c:486 dvb_dmxdev_filter_stop.part.0+0x1e7/0x340 drivers/media/dvb-core/dmxdev.c:559 dvb_dmxdev_filter_stop drivers/media/dvb-core/dmxdev.c:552 [inline] dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0xd6/0x5c0 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x281/0xa90 fs/file_table.c:320 task_work_run+0x170/0x270 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x262/0x270 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fe950c40dcb Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffd3d403e80 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007fe950c40dcb RDX: 0000001b31220000 RSI: 0000000000000001 RDI: 0000000000000003 RBP: 0000000000000001 R08: 0000000000000000 R09: 00007fe950dd0450 R10: 00007ffd3d403fc0 R11: 0000000000000293 R12: 00007fe950dd0448 R13: 00007fe950dd0450 R14: 00007fe950dcbf60 R15: 000000000001c14f </TASK>
reply other threads:\[~2023-04-18 4:22 UTC|newest\]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email using any one of the following methods:
* Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the –to, –cc, and –in-reply-to switches of git-send-email(1):
git send-email \ –in-reply-to=CA+UBctDXyiosaiR7YNKCs8k0aWu4gU+YutRcnC+TDJkXpHjQag@mail.gmail.com \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ /path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.