Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-22 10:56:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
50e7044535
linux/drivers/media/usb/usbtv
History
Oliver Neukum 50e7044535 media: usbtv: prevent double free in error case 
Quoting the original report:

It looks like there is a double-free vulnerability in Linux usbtv driver
on an error path of usbtv_probe function. When audio registration fails,
usbtv_video_free function ends up freeing usbtv data structure, which
gets freed the second time under usbtv_video_fail label.

usbtv_audio_fail:

        usbtv_video_free(usbtv); =>

           v4l2_device_put(&usbtv->v4l2_dev);

              => v4l2_device_put

                  => kref_put

                      => v4l2_device_release

  => usbtv_release (CALLBACK)

                             => kfree(usbtv) (1st time)

usbtv_video_fail:

        usb_set_intfdata(intf, NULL);

        usb_put_dev(usbtv->udev);

        kfree(usbtv); (2nd time)

So, as we have refcounting, use it

Reported-by: Yavuz, Tuba <tuba@ece.ufl.edu>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2018-02-26 06:59:54 -05:00
..
Kconfig media: fix usage of whitespaces and on indentation 2018-01-04 13:12:01 -05:00
Makefile [media] usbtv: add audio support 2014-08-21 15:25:34 -05:00
usbtv-audio.c media: usb: make snd_pcm_hardware const 2017-08-20 08:05:10 -04:00
usbtv-core.c media: usbtv: prevent double free in error case 2018-02-26 06:59:54 -05:00
usbtv-video.c media: usbtv: fix brightness and contrast controls 2017-10-31 07:26:10 -04:00
usbtv.h [media] usbtv: add video controls 2016-11-16 13:06:18 -02:00