[ldv-project] Double-free in usbtv driver

Yavuz, Tuba tuba at ece.ufl.edu
Sun Nov 19 01:26:12 MSK 2017


Hello,


It looks like there is a double-free vulnerability in Linux usbtv driver on an error path of usbtv_probe function. When audio registration fails, usbtv_video_free function ends up freeing usbtv data structure, which gets freed the second time under usbtv_video_fail label.



usbtv_audio_fail:

        usbtv_video_free(usbtv); =>

           v4l2_device_put(&usbtv->v4l2_dev);

              => v4l2_device_put

                  => kref_put

                      => v4l2_device_release

  => usbtv_release (CALLBACK)

                             => kfree(usbtv) (1st time)


usbtv_video_fail:

        usb_set_intfdata(intf, NULL);

        usb_put_dev(usbtv->udev);

        kfree(usbtv); (2nd time)


It looks like the vulnerability was introduced when audio support was added in 2014

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/drivers/media/usb/usbtv?id=63ddf68de52efaac40a9287e44266ac30e71dd36.

I would appreciate if someone could evaluate this bug.


Best,

Tuba Yavuz, Ph.D.
Assistant Professor
Electrical and Computer Engineering Department
University of Florida
Gainesville, FL 32611
Webpage: http://www.tuba.ece.ufl.edu/
Email: tuba at ece.ufl.edu
Phone: (352) 846 0202
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxtesting.org/pipermail/ldv-project/attachments/20171118/d9a50fa9/attachment.html>


More information about the ldv-project mailing list