github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 22:52:35 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
ddec2acd13
linux/drivers/media
History
Oliver Neukum 607a6b7b6a media: usbtv: prevent double free in error case 
commit 50e7044535 upstream.

Quoting the original report:

It looks like there is a double-free vulnerability in Linux usbtv driver
on an error path of usbtv_probe function. When audio registration fails,
usbtv_video_free function ends up freeing usbtv data structure, which
gets freed the second time under usbtv_video_fail label.

usbtv_audio_fail:

        usbtv_video_free(usbtv); =>

           v4l2_device_put(&usbtv->v4l2_dev);

              => v4l2_device_put

                  => kref_put

                      => v4l2_device_release

  => usbtv_release (CALLBACK)

                             => kfree(usbtv) (1st time)

usbtv_video_fail:

        usb_set_intfdata(intf, NULL);

        usb_put_dev(usbtv->udev);

        kfree(usbtv); (2nd time)

So, as we have refcounting, use it

Reported-by: Yavuz, Tuba <tuba@ece.ufl.edu>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-04-08 11:52:00 +02:00
..
common b2c2: flexcop: avoid unused function warnings 2018-02-25 11:03:48 +01:00
dvb-core media/dvb-core: Race condition when writing to CAM 2018-03-24 10:58:41 +01:00
dvb-frontends media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart 2018-03-24 10:58:47 +01:00
firewire [media] dvb: Get rid of typedev usage for enums 2015-06-09 17:47:35 -03:00
i2c media: i2c/soc_camera: fix ov6650 sensor getting wrong clock 2018-03-22 09:23:21 +01:00
mmc
pci media: bt8xx: Fix err 'bt878_probe()' 2018-03-24 10:58:47 +01:00
platform media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt 2018-03-24 10:58:46 +01:00
radio [media] radio: Drop owner assignment from i2c_driver 2015-08-11 13:01:08 -03:00
rc media: rc: check for integer overflow 2017-11-30 08:37:24 +00:00
tuners media: r820t: fix r820t_write_reg for KASAN 2018-02-22 15:45:02 +01:00
usb media: usbtv: prevent double free in error case 2018-04-08 11:52:00 +02:00
v4l2-core v4l: remove MEDIA_TUNER dependency for VIDEO_TUNER 2018-02-25 11:03:50 +01:00
Kconfig media updates for v4.2-rc1 2015-06-25 17:55:48 -07:00
Makefile
media-device.c
media-devnode.c
media-entity.c [media] media-entity.c: get rid of var length arrays 2015-10-01 18:10:05 -03:00