summaryrefslogtreecommitdiffstats
path: root/active/CVE-2019-15213
blob: 8118e2e3707df46ae8b9f01856428a361c2436b0 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Description: media: dvb: usb: use after free in dvb_usb_device_exit
References:
 https://lore.kernel.org/linux-media/fe983331d14442a96db3f71066ca0488a8921840.camel%40decadent.org.uk/
 https://lore.kernel.org/linux-media/20190822104147.4420-1-vasilyev@ispras.ru/
 https://bugzilla.kernel.org/show_bug.cgi?id=204597
Notes:
 bwh> This is supposed to be fixed by commit 6cf97230cd5f "media: dvb:
 bwh> usb: fix use after free in dvb_usb_device_exit", but that won't fix
 bwh> the syzkaller report it claims to.  The KASAN output shows an 8-byte
 bwh> access to memory that was allocated in dw2102_probe(), apparently by
 bwh> the statement "s421 = kmemdup(...)".  But it was also freed by
 bwh> dw2102_probe(), so d->desc was already a dangling pointer before
 bwh> dvb_usb_device_exit() was called.
 bwh> The name strings seem to be static data that are only freed when
 bwh> the module containing them is unloaded.  Which dvb_usb_device_exit()
 bwh> doesn't do.
 bwh> Introduced in 4.19 by commit 299c7007e936 "media: dw2102: Fix
 bwh> memleak on sequence of probes".
Bugs:
upstream: needed
6.1-upstream-stable: needed
5.10-upstream-stable: needed
4.19-upstream-stable: needed
4.9-upstream-stable: N/A "Vulnerability introduced later"
3.16-upstream-stable: N/A "Vulnerability introduced later"
sid: needed
6.1-bookworm-security: needed
5.10-bullseye-security: needed
4.19-buster-security: needed
4.9-stretch-security: N/A "Vulnerability introduced later"
3.16-jessie-security: N/A "Vulnerability introduced later"

© 2014-2024 Faster IT GmbH | imprint | privacy policy