summaryrefslogtreecommitdiffstats
path: root/drivers/media/usb/usbtv
diff options
context:
space:
mode:
authorOliver Neukum <oneukum@suse.com>2018-01-08 15:21:07 +0100
committerMauro Carvalho Chehab <mchehab@s-opensource.com>2018-02-26 12:59:54 +0100
commit50e7044535537b2a54c7ab798cd34c7f6d900bd2 (patch)
treeaa8018ab5ef0caedd67f8ce0db06ab371ec865f1 /drivers/media/usb/usbtv
parentmedia: media-device: use strlcpy() instead of strncpy() (diff)
downloadlinux-50e7044535537b2a54c7ab798cd34c7f6d900bd2.tar.xz
linux-50e7044535537b2a54c7ab798cd34c7f6d900bd2.zip
media: usbtv: prevent double free in error case
Quoting the original report: It looks like there is a double-free vulnerability in Linux usbtv driver on an error path of usbtv_probe function. When audio registration fails, usbtv_video_free function ends up freeing usbtv data structure, which gets freed the second time under usbtv_video_fail label. usbtv_audio_fail: usbtv_video_free(usbtv); => v4l2_device_put(&usbtv->v4l2_dev); => v4l2_device_put => kref_put => v4l2_device_release => usbtv_release (CALLBACK) => kfree(usbtv) (1st time) usbtv_video_fail: usb_set_intfdata(intf, NULL); usb_put_dev(usbtv->udev); kfree(usbtv); (2nd time) So, as we have refcounting, use it Reported-by: Yavuz, Tuba <tuba@ece.ufl.edu> Signed-off-by: Oliver Neukum <oneukum@suse.com> CC: stable@vger.kernel.org Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Diffstat (limited to 'drivers/media/usb/usbtv')
-rw-r--r--drivers/media/usb/usbtv/usbtv-core.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c
index 127f8a0c098b..0c2e628e8723 100644
--- a/drivers/media/usb/usbtv/usbtv-core.c
+++ b/drivers/media/usb/usbtv/usbtv-core.c
@@ -112,6 +112,8 @@ static int usbtv_probe(struct usb_interface *intf,
return 0;
usbtv_audio_fail:
+ /* we must not free at this point */
+ usb_get_dev(usbtv->udev);
usbtv_video_free(usbtv);
usbtv_video_fail: