lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025100420-CVE-2022-50499-9f94@gregkh>
Date: Sat,  4 Oct 2025 17:51:24 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-50499: media: dvb-core: Fix double free in dvb_register_device()

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

media: dvb-core: Fix double free in dvb_register_device()

In function dvb_register_device() -> dvb_register_media_device() ->
dvb_create_media_entity(), dvb->entity is allocated and initialized. If
the initialization fails, it frees the dvb->entity, and return an error
code. The caller takes the error code and handles the error by calling
dvb_media_device_free(), which unregisters the entity and frees the
field again if it is not NULL. As dvb->entity may not NULLed in
dvb_create_media_entity() when the allocation of dvbdev->pad fails, a
double free may occur. This may also cause an Use After free in
media_device_unregister_entity().

Fix this by storing NULL to dvb->entity when it is freed.

The Linux kernel CVE team has assigned CVE-2022-50499 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.9.195 with commit 9db28659aa893c68f162b11fd63bb7f6a713e52f and fixed in 4.9.337 with commit 0588b12c418c3e4f927ced11f27b02ef4a5bfb07
	Issue introduced in 4.14.147 with commit 1399a136127bfe1b9bb7c951d9851da62a519121 and fixed in 4.14.303 with commit e9a78485b658361fab6a5547377be6c1af6f1b3d
	Issue introduced in 4.19.77 with commit 4df2427a5148093987437054bb82da4d014dcd59 and fixed in 4.19.270 with commit 70bc51303871159796b55ba1a8f16637b46c2511
	Issue introduced in 5.4 with commit fcd5ce4b3936242e6679875a4d3c3acfc8743e15 and fixed in 5.4.229 with commit b21f62b49ee9c3e0216d685d9cfd6003e5727271
	Issue introduced in 5.4 with commit fcd5ce4b3936242e6679875a4d3c3acfc8743e15 and fixed in 5.10.163 with commit 7dd5a68cdbbbe7fc67ba701cb52ba10d8ba149f8
	Issue introduced in 5.4 with commit fcd5ce4b3936242e6679875a4d3c3acfc8743e15 and fixed in 5.15.87 with commit acf984a3718c2458eb9e08b6714490a04f213c58
	Issue introduced in 5.4 with commit fcd5ce4b3936242e6679875a4d3c3acfc8743e15 and fixed in 6.0.18 with commit 772892b29ac50c2c5e918fc80104aa6ede81d837
	Issue introduced in 5.4 with commit fcd5ce4b3936242e6679875a4d3c3acfc8743e15 and fixed in 6.1.4 with commit 123eddf92a114e03919942641d2c2b1f4ca56ea6
	Issue introduced in 5.4 with commit fcd5ce4b3936242e6679875a4d3c3acfc8743e15 and fixed in 6.2 with commit 6b0d0477fce747d4137aa65856318b55fba72198
	Issue introduced in 5.2.19 with commit 8c17f6f5d0d6aab72a2af25c9911ac66e984be06
	Issue introduced in 5.3.4 with commit 202be5d6e46f682b9d1d79cd4dc6ab726e62ef1c

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-50499
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/media/dvb-core/dvbdev.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/0588b12c418c3e4f927ced11f27b02ef4a5bfb07
	https://git.kernel.org/stable/c/e9a78485b658361fab6a5547377be6c1af6f1b3d
	https://git.kernel.org/stable/c/70bc51303871159796b55ba1a8f16637b46c2511
	https://git.kernel.org/stable/c/b21f62b49ee9c3e0216d685d9cfd6003e5727271
	https://git.kernel.org/stable/c/7dd5a68cdbbbe7fc67ba701cb52ba10d8ba149f8
	https://git.kernel.org/stable/c/acf984a3718c2458eb9e08b6714490a04f213c58
	https://git.kernel.org/stable/c/772892b29ac50c2c5e918fc80104aa6ede81d837
	https://git.kernel.org/stable/c/123eddf92a114e03919942641d2c2b1f4ca56ea6
	https://git.kernel.org/stable/c/6b0d0477fce747d4137aa65856318b55fba72198

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ