UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/drivers/media/usb
History
Oliver Neukum 50e7044535 media: usbtv: prevent double free in error case 
Quoting the original report:

It looks like there is a double-free vulnerability in Linux usbtv driver
on an error path of usbtv_probe function. When audio registration fails,
usbtv_video_free function ends up freeing usbtv data structure, which
gets freed the second time under usbtv_video_fail label.

usbtv_audio_fail:

        usbtv_video_free(usbtv); =>

           v4l2_device_put(&usbtv->v4l2_dev);

              => v4l2_device_put

                  => kref_put

                      => v4l2_device_release

  => usbtv_release (CALLBACK)

                             => kfree(usbtv) (1st time)

usbtv_video_fail:

        usb_set_intfdata(intf, NULL);

        usb_put_dev(usbtv->udev);

        kfree(usbtv); (2nd time)

So, as we have refcounting, use it

Reported-by: Yavuz, Tuba <tuba@ece.ufl.edu>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
 		2018-02-26 06:59:54 -05:00
..
airspy media: usb: make video_device const 2017-08-27 08:45:32 -04:00
as102 media: fix usage of whitespaces and on indentation 2018-01-04 13:12:01 -05:00
au0828 media: au0828: fix VIDEO_V4L2 dependency 2018-02-26 06:57:13 -05:00
b2c2 media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
cpia2 vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
cx231xx vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
dvb-usb media: cxusb, dib0700: ignore XC2028_I2C_FLUSH 2018-01-29 07:47:47 -05:00
dvb-usb-v2 media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
em28xx media: convert g/s_parm to g/s_frame_interval in subdevs 2018-02-22 12:27:35 -05:00
go7007 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gspca vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
hackrf media: usb: make video_device const 2017-08-27 08:45:32 -04:00
hdpvr vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
msi2500 media: usb: fix spelling mistake: "synchronuously" -> "synchronously" 2017-11-07 03:47:09 -05:00
pulse8-cec media: pulse8-cec: print time using time64_t 2017-12-08 11:08:22 -05:00
pvrusb2 vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
pwc media: replace all <spaces><tab> occurrences 2018-01-04 13:15:05 -05:00
rainshadow-cec media: usb: rainshadow-cec: constify serio_device_id 2017-08-20 08:27:29 -04:00
s2255 media: s2255drv: update firmware load 2017-12-08 10:43:59 -05:00
siano media: replace all <spaces><tab> occurrences 2018-01-04 13:15:05 -05:00
stk1160 media: replace all <spaces><tab> occurrences 2018-01-04 13:15:05 -05:00
stkwebcam vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
tm6000 vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
ttusb-budget media updates for v4.16-rc1 2018-02-06 11:27:48 -08:00
ttusb-dec media updates for v4.16-rc1 2018-02-06 11:27:48 -08:00
usbtv media: usbtv: prevent double free in error case 2018-02-26 06:59:54 -05:00
usbvision media: don't include drivers/media/i2c at cflags 2017-12-28 14:14:09 -05:00
uvc media: uvcvideo: Fixed ktime_t to ns conversion 2018-02-23 02:24:29 -05:00
zr364xx media: annotate ->poll() instances 2017-11-27 16:20:06 -05:00
Kconfig [media] rainshadow-cec: new RainShadow Tech HDMI CEC driver 2017-04-10 12:42:10 -03:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00