drivers/media/test-drivers/vidtv/vidtv_channel.c | 3 +++ 1 file changed, 3 insertions(+)
vidtv_channel_si_init() creates a temporary list (program, service, event)
and ownership of the memory itself is transferred to the PAT/SDT/EIT
tables through vidtv_psi_pat_program_assign(),
vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().
The problem here is that the local pointer where the memory ownership
transfer was completed is not initialized to NULL. This causes the
vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and
in the flow that jumps to free_eit, the memory that was freed by
vidtv_psi_*_table_destroy() can be accessed again by
vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it
is freed once again.
Therefore, to prevent use-after-free and double-free vuln, local pointers
must be initialized to NULL when transferring memory ownership.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+1d9c0edea5907af239e0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=1d9c0edea5907af239e0
Fixes: 3be8037960bc ("media: vidtv: add error checks")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
v2: Improved patch description wording and CC stable mailing list
- Link to v1: https://lore.kernel.org/all/20250822065849.1145572-1-aha310510@gmail.com/
---
drivers/media/test-drivers/vidtv/vidtv_channel.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/test-drivers/vidtv/vidtv_channel.c b/drivers/media/test-drivers/vidtv/vidtv_channel.c
index f3023e91b3eb..3541155c6fc6 100644
--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
@@ -461,12 +461,15 @@ int vidtv_channel_si_init(struct vidtv_mux *m)
/* assemble all programs and assign to PAT */
vidtv_psi_pat_program_assign(m->si.pat, programs);
+ programs = NULL;
/* assemble all services and assign to SDT */
vidtv_psi_sdt_service_assign(m->si.sdt, services);
+ services = NULL;
/* assemble all events and assign to EIT */
vidtv_psi_eit_event_assign(m->si.eit, events);
+ events = NULL;
m->si.pmt_secs = vidtv_psi_pmt_create_sec_for_each_pat_entry(m->si.pat,
m->pcr_pid);
--Hi Jeongjun,
You’re resending this, but there were comments on v2.
If you’ve taken steps to address them, please send a v3 instead.
> On 4 Sep 2025, at 02:40, Jeongjun Park <aha310510@gmail.com> wrote:
>
> vidtv_channel_si_init() creates a temporary list (program, service, event)
> and ownership of the memory itself is transferred to the PAT/SDT/EIT
> tables through vidtv_psi_pat_program_assign(),
> vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().
>
> The problem here is that the local pointer where the memory ownership
> transfer was completed is not initialized to NULL. This causes the
> vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and
> in the flow that jumps to free_eit, the memory that was freed by
> vidtv_psi_*_table_destroy() can be accessed again by
> vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it
> is freed once again.
>
> Therefore, to prevent use-after-free and double-free vuln, local pointers
Please do not use “vuln” instead of vulnerability.
> must be initialized to NULL when transferring memory ownership.
>
> Cc: <stable@vger.kernel.org>
> Reported-by: syzbot+1d9c0edea5907af239e0@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=1d9c0edea5907af239e0
> Fixes: 3be8037960bc ("media: vidtv: add error checks")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
> ---
> v2: Improved patch description wording and CC stable mailing list
> - Link to v1: https://lore.kernel.org/all/20250822065849.1145572-1-aha310510@gmail.com/
> ---
> drivers/media/test-drivers/vidtv/vidtv_channel.c | 3 +++
> 1 file changed, 3 insertions(+)
— Daniel
© 2016 - 2025 Red Hat, Inc.