AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-19 01:48:11 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
50e7044535
linux_dsm_epyc7002/drivers/media
History
Oliver Neukum 50e7044535 media: usbtv: prevent double free in error case 
Quoting the original report:

It looks like there is a double-free vulnerability in Linux usbtv driver
on an error path of usbtv_probe function. When audio registration fails,
usbtv_video_free function ends up freeing usbtv data structure, which
gets freed the second time under usbtv_video_fail label.

usbtv_audio_fail:

        usbtv_video_free(usbtv); =>

           v4l2_device_put(&usbtv->v4l2_dev);

              => v4l2_device_put

                  => kref_put

                      => v4l2_device_release

  => usbtv_release (CALLBACK)

                             => kfree(usbtv) (1st time)

usbtv_video_fail:

        usb_set_intfdata(intf, NULL);

        usb_put_dev(usbtv->udev);

        kfree(usbtv); (2nd time)

So, as we have refcounting, use it

Reported-by: Yavuz, Tuba <tuba@ece.ufl.edu>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2018-02-26 06:59:54 -05:00
..
cec media: cec: add SPDX license info 2018-02-14 13:16:03 -05:00
common media: add SPDX license info 2018-02-14 13:17:03 -05:00
dvb-core vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
dvb-frontends media: ts2020: avoid integer overflows on 32 bit machines 2018-01-29 07:46:46 -05:00
firewire vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
i2c ov13858: fix endiannes warnings 2018-02-23 03:21:27 -05:00
mmc media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
pci media: intel-ipu3: cio2: Use SPDX license headers 2018-02-23 02:28:18 -05:00
platform media: coda: bump maximum number of internal framebuffers to 19 2018-02-26 06:58:05 -05:00
radio media: add SPDX license info 2018-02-14 13:17:03 -05:00
rc media: rc: get start time just before calling driver tx 2018-02-14 14:17:21 -05:00
spi [media] gs1662: drop kfree for memory allocated with devm_kzalloc 2016-10-24 17:59:08 -02:00
tuners media: replace all <spaces><tab> occurrences 2018-01-04 13:15:05 -05:00
usb media: usbtv: prevent double free in error case 2018-02-26 06:59:54 -05:00
v4l2-core media: v4l-ioctl: fix clearing pad for VIDIOC_DV_TIMINGS_CAP 2018-02-22 12:41:39 -05:00
Kconfig media: fix usage of whitespaces and on indentation 2018-01-04 13:12:01 -05:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
media-device.c media: media-device: use strlcpy() instead of strncpy() 2018-02-26 06:58:40 -05:00
media-devnode.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
media-entity.c [media] media: Check for active and has_no_links overrun 2017-10-04 17:16:14 -03:00