Re: Double-free in /drivers/media/usb/zr364xx driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Linux Media Devs,

There is a double free on error in zr364xx_probe().  The bug report
explains it pretty well.  v4l2_device_unregister() calls
zr364xx_release() which frees "cam" but we also to another kfree(cam);
before the "return err;".

Please give reported by credit to:

Reported-by: "Yavuz, Tuba" <tuba@xxxxxxxxxxx>

regards,
dan carpenter

On Tue, Mar 20, 2018 at 02:30:45PM +0000, Yavuz, Tuba wrote:
> Hello,
> 
> 
> It looks like there is a double-free on an error path in the zr364xx_probe function of the zr364xx driver.
> 
> fail:
>     v4l2_ctrl_handler_free(hdl);
>     v4l2_device_unregister(&cam->v4l2_dev);
>     =>
>         v4l2_device_disconnect
>        =>
>           put_device
>           =>
>               kobject_put
>               =>
>                   kref_put
>                   =>
>                       v4l2_device_release
>                       =>
>                           zr364xx_release (CALLBACK)
>                           =>
>                              kfree(cam)
>     kfree(cam);
> 
> The vulnerability exists since the initial commit<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/media/usb/zr364xx?id=0aa77f6c2954896b132f8b6f2e9f063c52800913> 0aa77f6c2954896b132f8b6f2e9f063c52800913 of the driver.
> 
> 
> Best,
> 
> Tuba Yavuz, Ph.D.
> Assistant Professor
> Electrical and Computer Engineering Department
> University of Florida
> Gainesville, FL 32611
> Webpage: http://www.tuba.ece.ufl.edu/
> Email: tuba@xxxxxxxxxxx
> Phone: (352) 846 0202
[Index of Archives]     [Linux Input]     [Video for Linux]     [Gstreamer Embedded]     [Mplayer Users]     [Linux USB Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]

  Powered by Linux