Details

Issue of the Implementation # L0166

Brief

usb: dbgp gadget: fix use after free in dbgp_unbind()

Detailed Description

After dbgp_bind()-dbgp_unbind() cycle happens, static variable dbgp contains pointers to already deallocated memory (dbgp.serial and dbgp.req). If the next dbgp_bind() fails, for example in usb_ep_alloc_request(), dbgp_bind() calls dbgp_unbind() on failure path, and dbgp_unbind() frees dbgp.serial that still stores a pointer to already deallocated memory.

Component

linux-kernel 3.16

Accepted

http://linuxtesting.org/pipermail/ldv-project/2014-August/000359.html
commit

Status

Fixed in kernel 3.17-rc3

[Home]

Русский

About Us

Projects