CVE-2022-50725

Summary

In the Linux kernel, the following vulnerability has been resolved:

media: vidtv: Fix use-after-free in vidtv_bridge_dvb_init()

KASAN reports a use-after-free: BUG: KASAN: use-after-free in dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core] Call Trace: … dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core] vidtv_bridge_probe+0x7bf/0xa40 [dvb_vidtv_bridge] platform_probe+0xb6/0x170 … Allocated by task 1238: … dvb_register_device+0x1a7/0xa70 [dvb_core] dvb_dmxdev_init+0x2af/0x4a0 [dvb_core] vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge] … Freed by task 1238: dvb_register_device+0x6d2/0xa70 [dvb_core] dvb_dmxdev_init+0x2af/0x4a0 [dvb_core] vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge] …

It is because the error handling in vidtv_bridge_dvb_init() is wrong.

First, vidtv_bridge_dmx(dev)_init() will clean themselves when fail, but goto fail_dmx(_dev): calls release functions again, which causes use-after-free.

Also, in fail_fe, fail_tuner_probe and fail_demod_probe, j = i will cause out-of-bound when i finished its loop (i == NUM_FE). And the loop releasing is wrong, although now NUM_FE is 1 so it won't cause problem.

Fix this by correctly releasing everything.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxf90cf6079bf67988f8b1ad1ade70fc89d0080905 < 0369af6fe33d4053899b121b32e91f870b2cf0aeaffected
LinuxLinuxf90cf6079bf67988f8b1ad1ade70fc89d0080905 < c290aa527fd832d278c6388a3ba53a9890fbd74aaffected
LinuxLinuxf90cf6079bf67988f8b1ad1ade70fc89d0080905 < 06398ce69571a43a8a0dd0f1bfe35d221f726a6aaffected
LinuxLinuxf90cf6079bf67988f8b1ad1ade70fc89d0080905 < 8a204a0b4a0d105229735222c515759ea2b126c1affected
LinuxLinuxf90cf6079bf67988f8b1ad1ade70fc89d0080905 < ba8d9405935097e296bcf7a942c3a01df0edb865affected
LinuxLinux5.10affected
LinuxLinux0 < 5.10unaffected
LinuxLinux5.10.163 <= 5.10.*unaffected
LinuxLinux5.15.86 <= 5.15.*unaffected
LinuxLinux6.0.16 <= 6.0.*unaffected
LinuxLinux6.1.2 <= 6.1.*unaffected
LinuxLinux6.2 <= *unaffected

Weaknesses

References