65 lines
1.8 KiB
Diff
65 lines
1.8 KiB
Diff
From: Oliver Neukum <oneukum@suse.com>
|
|
Date: Mon, 8 Jan 2018 09:21:07 -0500
|
|
Subject: media: usbtv: prevent double free in error case
|
|
Origin: https://git.kernel.org/linus/50e7044535537b2a54c7ab798cd34c7f6d900bd2
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17975
|
|
|
|
Quoting the original report:
|
|
|
|
It looks like there is a double-free vulnerability in Linux usbtv driver
|
|
on an error path of usbtv_probe function. When audio registration fails,
|
|
usbtv_video_free function ends up freeing usbtv data structure, which
|
|
gets freed the second time under usbtv_video_fail label.
|
|
|
|
usbtv_audio_fail:
|
|
|
|
usbtv_video_free(usbtv); =>
|
|
|
|
v4l2_device_put(&usbtv->v4l2_dev);
|
|
|
|
=> v4l2_device_put
|
|
|
|
=> kref_put
|
|
|
|
=> v4l2_device_release
|
|
|
|
=> usbtv_release (CALLBACK)
|
|
|
|
=> kfree(usbtv) (1st time)
|
|
|
|
usbtv_video_fail:
|
|
|
|
usb_set_intfdata(intf, NULL);
|
|
|
|
usb_put_dev(usbtv->udev);
|
|
|
|
kfree(usbtv); (2nd time)
|
|
|
|
So, as we have refcounting, use it
|
|
|
|
Reported-by: Yavuz, Tuba <tuba@ece.ufl.edu>
|
|
Signed-off-by: Oliver Neukum <oneukum@suse.com>
|
|
CC: stable@vger.kernel.org
|
|
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
|
|
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
---
|
|
drivers/media/usb/usbtv/usbtv-core.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c
|
|
index 127f8a0c098b..0c2e628e8723 100644
|
|
--- a/drivers/media/usb/usbtv/usbtv-core.c
|
|
+++ b/drivers/media/usb/usbtv/usbtv-core.c
|
|
@@ -112,6 +112,8 @@ static int usbtv_probe(struct usb_interface *intf,
|
|
return 0;
|
|
|
|
usbtv_audio_fail:
|
|
+ /* we must not free at this point */
|
|
+ usb_get_dev(usbtv->udev);
|
|
usbtv_video_free(usbtv);
|
|
|
|
usbtv_video_fail:
|
|
--
|
|
2.17.0
|
|
|