| Message ID | 20180419140240.2791-1-kleber.souza@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,Artful,CVE-2017-17975] media: usbtv: prevent double free in error case | expand |
On 2018-04-19 16:02:40 , Kleber Souza wrote: > From: Oliver Neukum <oneukum@suse.com> > > CVE-2017-17975 > > Quoting the original report: > > It looks like there is a double-free vulnerability in Linux usbtv driver > on an error path of usbtv_probe function. When audio registration fails, > usbtv_video_free function ends up freeing usbtv data structure, which > gets freed the second time under usbtv_video_fail label. > > usbtv_audio_fail: > > usbtv_video_free(usbtv); => > > v4l2_device_put(&usbtv->v4l2_dev); > > => v4l2_device_put > > => kref_put > > => v4l2_device_release > > => usbtv_release (CALLBACK) > > => kfree(usbtv) (1st time) > > usbtv_video_fail: > > usb_set_intfdata(intf, NULL); > > usb_put_dev(usbtv->udev); > > kfree(usbtv); (2nd time) > > So, as we have refcounting, use it > > Reported-by: Yavuz, Tuba <tuba@ece.ufl.edu> > Signed-off-by: Oliver Neukum <oneukum@suse.com> > CC: stable@vger.kernel.org > Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> > Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> > (cherry picked from commit 50e7044535537b2a54c7ab798cd34c7f6d900bd2) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > drivers/media/usb/usbtv/usbtv-core.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c > index ceb953be0770..720f8c15eea8 100644 > --- a/drivers/media/usb/usbtv/usbtv-core.c > +++ b/drivers/media/usb/usbtv/usbtv-core.c > @@ -112,6 +112,8 @@ static int usbtv_probe(struct usb_interface *intf, > return 0; > > usbtv_audio_fail: > + /* we must not free at this point */ > + usb_get_dev(usbtv->udev); > usbtv_video_free(usbtv); > > usbtv_video_fail: Acked-by: Khalid Elmously <khalid.elmously@canonical.com>
On 19.04.2018 16:02, Kleber Sacilotto de Souza wrote: > From: Oliver Neukum <oneukum@suse.com> > > CVE-2017-17975 > > Quoting the original report: > > It looks like there is a double-free vulnerability in Linux usbtv driver > on an error path of usbtv_probe function. When audio registration fails, > usbtv_video_free function ends up freeing usbtv data structure, which > gets freed the second time under usbtv_video_fail label. > > usbtv_audio_fail: > > usbtv_video_free(usbtv); => > > v4l2_device_put(&usbtv->v4l2_dev); > > => v4l2_device_put > > => kref_put > > => v4l2_device_release > > => usbtv_release (CALLBACK) > > => kfree(usbtv) (1st time) > > usbtv_video_fail: > > usb_set_intfdata(intf, NULL); > > usb_put_dev(usbtv->udev); > > kfree(usbtv); (2nd time) > > So, as we have refcounting, use it > > Reported-by: Yavuz, Tuba <tuba@ece.ufl.edu> > Signed-off-by: Oliver Neukum <oneukum@suse.com> > CC: stable@vger.kernel.org > Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> > Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> > (cherry picked from commit 50e7044535537b2a54c7ab798cd34c7f6d900bd2) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > drivers/media/usb/usbtv/usbtv-core.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c > index ceb953be0770..720f8c15eea8 100644 > --- a/drivers/media/usb/usbtv/usbtv-core.c > +++ b/drivers/media/usb/usbtv/usbtv-core.c > @@ -112,6 +112,8 @@ static int usbtv_probe(struct usb_interface *intf, > return 0; > > usbtv_audio_fail: > + /* we must not free at this point */ > + usb_get_dev(usbtv->udev); > usbtv_video_free(usbtv); > > usbtv_video_fail: >
On 19.04.2018 16:02, Kleber Sacilotto de Souza wrote: > From: Oliver Neukum <oneukum@suse.com> > > CVE-2017-17975 > > Quoting the original report: > > It looks like there is a double-free vulnerability in Linux usbtv driver > on an error path of usbtv_probe function. When audio registration fails, > usbtv_video_free function ends up freeing usbtv data structure, which > gets freed the second time under usbtv_video_fail label. > > usbtv_audio_fail: > > usbtv_video_free(usbtv); => > > v4l2_device_put(&usbtv->v4l2_dev); > > => v4l2_device_put > > => kref_put > > => v4l2_device_release > > => usbtv_release (CALLBACK) > > => kfree(usbtv) (1st time) > > usbtv_video_fail: > > usb_set_intfdata(intf, NULL); > > usb_put_dev(usbtv->udev); > > kfree(usbtv); (2nd time) > > So, as we have refcounting, use it > > Reported-by: Yavuz, Tuba <tuba@ece.ufl.edu> > Signed-off-by: Oliver Neukum <oneukum@suse.com> > CC: stable@vger.kernel.org > Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> > Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> > (cherry picked from commit 50e7044535537b2a54c7ab798cd34c7f6d900bd2) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- Applied to artful/master-next > drivers/media/usb/usbtv/usbtv-core.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c > index ceb953be0770..720f8c15eea8 100644 > --- a/drivers/media/usb/usbtv/usbtv-core.c > +++ b/drivers/media/usb/usbtv/usbtv-core.c > @@ -112,6 +112,8 @@ static int usbtv_probe(struct usb_interface *intf, > return 0; > > usbtv_audio_fail: > + /* we must not free at this point */ > + usb_get_dev(usbtv->udev); > usbtv_video_free(usbtv); > > usbtv_video_fail: >
diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c index ceb953be0770..720f8c15eea8 100644 --- a/drivers/media/usb/usbtv/usbtv-core.c +++ b/drivers/media/usb/usbtv/usbtv-core.c @@ -112,6 +112,8 @@ static int usbtv_probe(struct usb_interface *intf, return 0; usbtv_audio_fail: + /* we must not free at this point */ + usb_get_dev(usbtv->udev); usbtv_video_free(usbtv); usbtv_video_fail: