CVE-2022-50626
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
Syzbot reports a memory leak in "dvb_usb_adapter_init()". The leak is due to not accounting for and freeing current iteration's adapter->priv in case of an error. Currently if an error occurs, it will exit before incrementing "num_adapters_initalized", which is used as a reference counter to free all adap->priv in "dvb_usb_adapter_exit()". There are multiple error paths that can exit from before incrementing the counter. Including the error handling paths for "dvb_usb_adapter_stream_init()", "dvb_usb_adapter_dvb_init()" and "dvb_usb_adapter_frontend_init()" within "dvb_usb_adapter_init()".
This means that in case of an error in any of these functions the current iteration is not accounted for and the current iteration's adap->priv is not freed.
Fix this by freeing the current iteration's adap->priv in the "stream_init_err:" label in the error path. The rest of the (accounted for) adap->priv objects are freed in dvb_usb_adapter_exit() as expected using the num_adapters_initalized variable.
Syzbot report:
BUG: memory leak unreferenced object 0xffff8881172f1a00 (size 512): comm "kworker/0:2", pid 139, jiffies 4294994873 (age 10.960s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace: [<ffffffff844af012>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline] [<ffffffff844af012>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline] [<ffffffff844af012>] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308 [<ffffffff830db21d>] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883 [<ffffffff82d3fdc7>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline] [<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 [<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline] [<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752 [<ffffffff8274af6a>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782 [<ffffffff8274b786>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899 [<ffffffff82747c87>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427 [<ffffffff8274b352>] __device_attach+0x122/0x260 drivers/base/dd.c:970 [<ffffffff827498f6>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487 [<ffffffff82745cdb>] device_add+0x5fb/0xdf0 drivers/base/core.c:3405 [<ffffffff82d3d202>] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170 [<ffffffff82d4dbfc>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<ffffffff82d3f49c>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline] [<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 [<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline] [<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 4d43e13f723e12734257277cc38497fab1efc605 < 733bc9e226da2a7f43b10031b8ebfc26d89ec4bd | affected |
| Linux | Linux | 4d43e13f723e12734257277cc38497fab1efc605 < e5a49140035591d13ff57a7537c65217e5af0d15 | affected |
| Linux | Linux | 4d43e13f723e12734257277cc38497fab1efc605 < 21b6b0c9f3796e6917e90db403dae9e74025fc40 | affected |
| Linux | Linux | 4d43e13f723e12734257277cc38497fab1efc605 < 17217737c174883dd975885ab4bee4b00f517239 | affected |
| Linux | Linux | 4d43e13f723e12734257277cc38497fab1efc605 < 7d7ab25ead969594df05fb09ee46ca931d46c5c8 | affected |
| Linux | Linux | 4d43e13f723e12734257277cc38497fab1efc605 < d0af6220bb1eed8225a5511de5a3bd386b94afa4 | affected |
| Linux | Linux | 4d43e13f723e12734257277cc38497fab1efc605 < e5d01eb6dc2f699a395d3e731c58a9b3bb4e269f | affected |
| Linux | Linux | 4d43e13f723e12734257277cc38497fab1efc605 < 93bbf2ed428142aa9a9693721230b28571678bf8 | affected |
| Linux | Linux | 4d43e13f723e12734257277cc38497fab1efc605 < 94d90fb06b94a90c176270d38861bcba34ce377d | affected |
| Linux | Linux | 2.6.19 | affected |
| Linux | Linux | 0 < 2.6.19 | unaffected |
| Linux | Linux | 4.9.337 <= 4.9.* | unaffected |
| Linux | Linux | 4.14.303 <= 4.14.* | unaffected |
| Linux | Linux | 4.19.270 <= 4.19.* | unaffected |
| Linux | Linux | 5.4.229 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.163 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.86 <= 5.15.* | unaffected |
| Linux | Linux | 6.0.16 <= 6.0.* | unaffected |
| Linux | Linux | 6.1.2 <= 6.1.* | unaffected |
| Linux | Linux | 6.2 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/733bc9e226da2a7f43b10031b8ebfc26d89ec4bd
- https://git.kernel.org/stable/c/e5a49140035591d13ff57a7537c65217e5af0d15
- https://git.kernel.org/stable/c/21b6b0c9f3796e6917e90db403dae9e74025fc40
- https://git.kernel.org/stable/c/17217737c174883dd975885ab4bee4b00f517239
- https://git.kernel.org/stable/c/7d7ab25ead969594df05fb09ee46ca931d46c5c8
- https://git.kernel.org/stable/c/d0af6220bb1eed8225a5511de5a3bd386b94afa4
- https://git.kernel.org/stable/c/e5d01eb6dc2f699a395d3e731c58a9b3bb4e269f
- https://git.kernel.org/stable/c/93bbf2ed428142aa9a9693721230b28571678bf8
- https://git.kernel.org/stable/c/94d90fb06b94a90c176270d38861bcba34ce377d
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.