CVE-2019-15213
media: dvb: usb: use after free in dvb_usb_device_exit
References
Notes
bwh> This is supposed to be fixed by commit 6cf97230cd5f "media: dvb:
bwh> usb: fix use after free in dvb_usb_device_exit", but that won't fix
bwh> the syzkaller report it claims to. The KASAN output shows an 8-byte
bwh> access to memory that was allocated in dw2102_probe(), apparently by
bwh> the statement "s421 = kmemdup(...)". But it was also freed by
bwh> dw2102_probe(), so d->desc was already a dangling pointer before
bwh> dvb_usb_device_exit() was called.
bwh> The name strings seem to be static data that are only freed when
bwh> the module containing them is unloaded. Which dvb_usb_device_exit()
bwh> doesn't do.
bwh> Introduced in 4.19 by commit 299c7007e936 "media: dw2102: Fix
bwh> memleak on sequence of probes".
Bugs
Status
Branch |
Status |
4.19-buster-security |
needed
|
4.19-upstream-stable |
needed
|
5.10-bullseye-security |
needed
|
5.10-upstream-stable |
needed
|
6.1-bookworm-security |
needed
|
6.1-upstream-stable |
needed
|
6.6-upstream-stable |
unknown
|
6.8-upstream-stable |
unknown
|
sid |
needed
|
upstream |
needed
|