APPLIED: [SRU][Artful][CVE-2017-17975][PATCH] media: usbtv: prevent double free in error case

Stefan Bader stefan.bader at canonical.com
Fri Apr 20 11:58:08 UTC 2018 

On 19.04.2018 16:02, Kleber Sacilotto de Souza wrote:
> From: Oliver Neukum <oneukum at suse.com>
> 
> CVE-2017-17975
> 
> Quoting the original report:
> 
> It looks like there is a double-free vulnerability in Linux usbtv driver
> on an error path of usbtv_probe function. When audio registration fails,
> usbtv_video_free function ends up freeing usbtv data structure, which
> gets freed the second time under usbtv_video_fail label.
> 
> usbtv_audio_fail:
> 
>         usbtv_video_free(usbtv); =>
> 
>            v4l2_device_put(&usbtv->v4l2_dev);
> 
>               => v4l2_device_put
> 
>                   => kref_put
> 
>                       => v4l2_device_release
> 
>   => usbtv_release (CALLBACK)
> 
>                              => kfree(usbtv) (1st time)
> 
> usbtv_video_fail:
> 
>         usb_set_intfdata(intf, NULL);
> 
>         usb_put_dev(usbtv->udev);
> 
>         kfree(usbtv); (2nd time)
> 
> So, as we have refcounting, use it
> 
> Reported-by: Yavuz, Tuba <tuba at ece.ufl.edu>
> Signed-off-by: Oliver Neukum <oneukum at suse.com>
> CC: stable at vger.kernel.org
> Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
> Signed-off-by: Mauro Carvalho Chehab <mchehab at s-opensource.com>
> (cherry picked from commit 50e7044535537b2a54c7ab798cd34c7f6d900bd2)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
> ---

Applied to artful/master-next

>  drivers/media/usb/usbtv/usbtv-core.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c
> index ceb953be0770..720f8c15eea8 100644
> --- a/drivers/media/usb/usbtv/usbtv-core.c
> +++ b/drivers/media/usb/usbtv/usbtv-core.c
> @@ -112,6 +112,8 @@ static int usbtv_probe(struct usb_interface *intf,
>  	return 0;
>  
>  usbtv_audio_fail:
> +	/* we must not free at this point */
> +	usb_get_dev(usbtv->udev);
>  	usbtv_video_free(usbtv);
>  
>  usbtv_video_fail:
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180420/10d6f82e/attachment.sig>

More information about the kernel-team mailing list