[ldv-project] Double-free in usbtv driver
tuba at ece.ufl.edu
Sun Nov 19 01:26:12 MSK 2017
It looks like there is a double-free vulnerability in Linux usbtv driver on an error path of usbtv_probe function. When audio registration fails, usbtv_video_free function ends up freeing usbtv data structure, which gets freed the second time under usbtv_video_fail label.
=> usbtv_release (CALLBACK)
=> kfree(usbtv) (1st time)
kfree(usbtv); (2nd time)
It looks like the vulnerability was introduced when audio support was added in 2014
I would appreciate if someone could evaluate this bug.
Tuba Yavuz, Ph.D.
Electrical and Computer Engineering Department
University of Florida
Gainesville, FL 32611
Email: tuba at ece.ufl.edu
Phone: (352) 846 0202
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ldv-project