diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2019-08-20 19:40:54 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2019-08-20 19:42:33 +0100 |
commit | d5062ab703d3e277bebae17ff44d4c515c6c0c18 (patch) | |
tree | b7f2f16dacaae8d802a6281bbfceb41df56af8e8 /active/CVE-2019-15213 | |
parent | 8f3f26bb2d08bdd57f65ea58ae3a9a85cf5d4396 (diff) |
Remove status for CVE-2019-15213 and note why the fix is wrong
Diffstat (limited to 'active/CVE-2019-15213')
-rw-r--r-- | active/CVE-2019-15213 | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/active/CVE-2019-15213 b/active/CVE-2019-15213 index f78711e3..5ba55f88 100644 --- a/active/CVE-2019-15213 +++ b/active/CVE-2019-15213 @@ -1,12 +1,22 @@ -Description: media: dvb: usb: fix use after free in dvb_usb_device_exit +Description: media: dvb: usb: use after free in dvb_usb_device_exit References: Notes: + bwh> This is supposed to be fixed by commit 6cf97230cd5f "media: dvb: + bwh> usb: fix use after free in dvb_usb_device_exit", but that won't fix + bwh> the syzkaller report it claims to. The KASAN output shows an 8-byte + bwh> access to memory that was allocated in dw2102_probe(), apparently by + bwh> the statement "s421 = kmemdup(...)". But it was also freed by + bwh> dw2102_probe(), so d->desc was already a dangling pointer before + bwh> dvb_usb_device_exit() was called. + bwh> The name strings seem to be static data that are only freed when + bwh> the module containing them is unloaded. Which dvb_usb_device_exit() + bwh> doesn't do. Bugs: -upstream: released (5.3-rc1) [6cf97230cd5f36b7665099083272595c55d72be7] -4.19-upstream-stable: released (4.19.61) [94f2b518a7882f562537796b77e3ce6a6461236d] -4.9-upstream-stable: released (4.9.187) [1d2e6bd4b64da75e6dba06fc9e3977c6413632b1] +upstream: +4.19-upstream-stable: +4.9-upstream-stable: 3.16-upstream-stable: -sid: released (5.2.6-1) +sid: 4.19-buster-security: 4.9-stretch-security: 3.16-jessie-security: |