Bug 8178 - media: dvb-core的dvbdmx_write 函数存在竞争条件
Summary: media: dvb-core的dvbdmx_write 函数存在竞争条件
Status: NEW
Alias: None
Product: ANCK 5.10 Dev
Classification: ANCK
Component: drivers (show other bugs) drivers
Version: 5.10.y-16
Hardware: All Linux
: P3-Medium S3-normal
Target Milestone: ---
Assignee: GuixinLiu
QA Contact: shuming
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-04 11:30 UTC by Shiloong
Modified: 2024-03-06 10:07 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Shiloong admin 2024-02-04 11:30:44 UTC
上报人信息:
  - 白家驹 <baijiaju@buaa.edu.cn>
  - 北京航空航天大学网络空间安全学院

成因:
在dvbdmx_write函数中,检查demux->frontend指针非空后进行了解引用,但检查demux->frontend指针非空和解引用没有持有锁,demux->frontend在检查后仍有可能被其他线程的dvbdmx_disconnect_frontend等函数置空,从而触发空指针解引用。

危害:
该模块被编译进内核里,发生空指针解引用会导致kernel panic并挂起系统,可以用于拒绝服务攻击。

漏洞修复缓解:
将检查demux->frontend非空和解引用的过程用dvbdemux->mutex保护,防止demux->frontend被并发置空。补丁已提交给Linux Kernel Media子系统维护者,补丁链接:https://patchwork.kernel.org/project/linux-media/patch/20230626024429.994136-1-islituo@gmail.com/  https://lore.kernel.org/all/20230626024429.994136-1-islituo@gmail.com/