1516257 – (CVE-2017-16648) CVE-2017-16648 kernel: Use-after-free in drivers/media/dvb-core/dvb_frontend.c

Bug 1516257 (CVE-2017-16648) - CVE-2017-16648 kernel: Use-after-free in drivers/media/dvb-core/dvb_frontend.c

Summary: CVE-2017-16648 kernel: Use-after-free in drivers/media/dvb-core/dvb_frontend.c

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-16648
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1516274 1546036 1546037 1546038
Blocks:	1516259
TreeView+	depends on / blocked

Reported:	2017-11-22 11:27 UTC by Andrej Nemec
Modified:	2021-10-27 10:53 UTC (History)
CC List:	41 users (show)
Fixed In Version:	kernel 4.14
Doc Type:	If docs needed, set a value
Doc Text:	The dvb frontend management subsystem in the Linux kernel contains a use-after-free which can allow a malicious user to write to memory that may be assigned to another kernel structure. This could create memory corruption, panic, or possibly other side affects.
Clone Of:
Environment:
Last Closed:	2021-10-27 10:53:40 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:2948	0	None	None	None	2018-10-30 08:56:49 UTC

Description Andrej Nemec 2017-11-22 11:27:22 UTC

The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. NOTE: the function was later renamed __dvb_frontend_free.

References:

https://groups.google.com/forum/#!msg/syzkaller/0HJQqTm0G_g/T931ItskBAAJ

https://patchwork.kernel.org/patch/10046189/

Upstream Fixes:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b1cb7372fa822af6c06c8045963571d13ad6348b

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b1728ff617f88a1f7a5d8c8f21fe17a2f6af5d16

Comment 1 Andrej Nemec 2017-11-22 11:53:03 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1516274]

Comment 6 Eric Christensen 2018-02-19 15:20:04 UTC

Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7, MRG-2 and real-time kernels.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux kernel-alt package.

Future Linux kernel updates for the respective releases may address this issue.

Comment 7 errata-xmlrpc 2018-10-30 08:56:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948

Note You need to log in before you can comment on or make changes to this bug.

agordeev
airlied
ajax
aquini
bhu
blc
bskeggs
dhoward
ewk
fhrbata
hdegoede
hkrzesin
hwkernel-mgr
iboverma
ichavero
itamar
jarodwilson
jeremy
jforbes
jkacur
john.j5live
jonathan
josef
jross
jwboyer
kernel-maint
kernel-mgr
lgoncalv
linville
mchehab
mcressma
mjg59
mlangsdo
nmurray
rt-maint
rvrbovsk
skozina
steved
vdronov
williams
wmealing