Description
In the Linux kernel, the following vulnerability has been resolved: media: vidtv: initialize local pointers upon transfer of memory ownership vidtv_channel_si_init() creates a temporary list (program, service, event) and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign(). The problem here is that the local pointer where the memory ownership transfer was completed is not initialized to NULL. This causes the vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and in the flow that jumps to free_eit, the memory that was freed by vidtv_psi_*_table_destroy() can be accessed again by vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it is freed once again. Therefore, to prevent use-after-free and double-free vulnerability, local pointers must be initialized to NULL when transferring memory ownership.
Product status
3be8037960bccd13052cfdeba8805ad785041d70 (git) before c342e294dac4988c8ada759b2f057246e48c5108
3be8037960bccd13052cfdeba8805ad785041d70 (git) before 12ab6ebb37789b84073e83e4d9b14a5e0d133323
3be8037960bccd13052cfdeba8805ad785041d70 (git) before 3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e
3be8037960bccd13052cfdeba8805ad785041d70 (git) before fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8
3be8037960bccd13052cfdeba8805ad785041d70 (git) before a69c7fd603bf5ad93177394fbd9711922ee81032
3be8037960bccd13052cfdeba8805ad785041d70 (git) before 30f4d4e5224a9e44e9ceb3956489462319d804ce
3be8037960bccd13052cfdeba8805ad785041d70 (git) before 98aabfe2d79f74613abc2b0b1cef08f97eaf5322
5.10
Any version before 5.10
5.10.248 (semver)
5.15.198 (semver)
6.1.160 (semver)
6.6.120 (semver)
6.12.64 (semver)
6.18.3 (semver)
6.19 (original_commit_for_fix)
References
git.kernel.org/...c/c342e294dac4988c8ada759b2f057246e48c5108
git.kernel.org/...c/12ab6ebb37789b84073e83e4d9b14a5e0d133323
git.kernel.org/...c/3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e
git.kernel.org/...c/fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8
git.kernel.org/...c/a69c7fd603bf5ad93177394fbd9711922ee81032
git.kernel.org/...c/30f4d4e5224a9e44e9ceb3956489462319d804ce
git.kernel.org/...c/98aabfe2d79f74613abc2b0b1cef08f97eaf5322