media: usbtv: prevent double free in error case (CVE-2017-17975)
This commit is contained in:
Salvatore Bonaccorso
parent
8e41f67460
commit
f5b6a35cad
|
|
@ -26,6 +26,7 @@ linux (4.15.11-2) UNRELEASED; urgency=medium
|
|||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* drm/nouveau/mmu: ALIGN_DOWN correct variable (Closes: #895750)
|
||||
* media: usbtv: prevent double free in error case (CVE-2017-17975)
|
||||
|
||||
-- Roger Shimizu <rogershimizu@gmail.com> Fri, 23 Mar 2018 21:10:34 +0900
|
||||
|
||||
|
|
|
|||
64
debian/patches/bugfix/all/media-usbtv-prevent-double-free-in-error-case.patch
vendored
Normal file
64
debian/patches/bugfix/all/media-usbtv-prevent-double-free-in-error-case.patch
vendored
Normal file
|
|
@ -0,0 +1,64 @@
|
|||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Mon, 8 Jan 2018 09:21:07 -0500
|
||||
Subject: media: usbtv: prevent double free in error case
|
||||
Origin: https://git.kernel.org/linus/50e7044535537b2a54c7ab798cd34c7f6d900bd2
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17975
|
||||
|
||||
Quoting the original report:
|
||||
|
||||
It looks like there is a double-free vulnerability in Linux usbtv driver
|
||||
on an error path of usbtv_probe function. When audio registration fails,
|
||||
usbtv_video_free function ends up freeing usbtv data structure, which
|
||||
gets freed the second time under usbtv_video_fail label.
|
||||
|
||||
usbtv_audio_fail:
|
||||
|
||||
usbtv_video_free(usbtv); =>
|
||||
|
||||
v4l2_device_put(&usbtv->v4l2_dev);
|
||||
|
||||
=> v4l2_device_put
|
||||
|
||||
=> kref_put
|
||||
|
||||
=> v4l2_device_release
|
||||
|
||||
=> usbtv_release (CALLBACK)
|
||||
|
||||
=> kfree(usbtv) (1st time)
|
||||
|
||||
usbtv_video_fail:
|
||||
|
||||
usb_set_intfdata(intf, NULL);
|
||||
|
||||
usb_put_dev(usbtv->udev);
|
||||
|
||||
kfree(usbtv); (2nd time)
|
||||
|
||||
So, as we have refcounting, use it
|
||||
|
||||
Reported-by: Yavuz, Tuba <tuba@ece.ufl.edu>
|
||||
Signed-off-by: Oliver Neukum <oneukum@suse.com>
|
||||
CC: stable@vger.kernel.org
|
||||
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
||||
---
|
||||
drivers/media/usb/usbtv/usbtv-core.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c
|
||||
index 127f8a0c098b..0c2e628e8723 100644
|
||||
--- a/drivers/media/usb/usbtv/usbtv-core.c
|
||||
+++ b/drivers/media/usb/usbtv/usbtv-core.c
|
||||
@@ -112,6 +112,8 @@ static int usbtv_probe(struct usb_interface *intf,
|
||||
return 0;
|
||||
|
||||
usbtv_audio_fail:
|
||||
+ /* we must not free at this point */
|
||||
+ usb_get_dev(usbtv->udev);
|
||||
usbtv_video_free(usbtv);
|
||||
|
||||
usbtv_video_fail:
|
||||
--
|
||||
2.17.0
|
||||
|
||||
|
|
@ -121,6 +121,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new.patch
|
||||
bugfix/all/media-usbtv-prevent-double-free-in-error-case.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue