fkie_cve-2022-50626
Vulnerability from fkie_nvd
Published
2025-12-08 02:15
Modified
2025-12-08 18:26
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: fix memory leak in dvb_usb_adapter_init() Syzbot reports a memory leak in "dvb_usb_adapter_init()". The leak is due to not accounting for and freeing current iteration's adapter->priv in case of an error. Currently if an error occurs, it will exit before incrementing "num_adapters_initalized", which is used as a reference counter to free all adap->priv in "dvb_usb_adapter_exit()". There are multiple error paths that can exit from before incrementing the counter. Including the error handling paths for "dvb_usb_adapter_stream_init()", "dvb_usb_adapter_dvb_init()" and "dvb_usb_adapter_frontend_init()" within "dvb_usb_adapter_init()". This means that in case of an error in any of these functions the current iteration is not accounted for and the current iteration's adap->priv is not freed. Fix this by freeing the current iteration's adap->priv in the "stream_init_err:" label in the error path. The rest of the (accounted for) adap->priv objects are freed in dvb_usb_adapter_exit() as expected using the num_adapters_initalized variable. Syzbot report: BUG: memory leak unreferenced object 0xffff8881172f1a00 (size 512): comm "kworker/0:2", pid 139, jiffies 4294994873 (age 10.960s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff844af012>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline] [<ffffffff844af012>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline] [<ffffffff844af012>] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308 [<ffffffff830db21d>] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883 [<ffffffff82d3fdc7>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline] [<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 [<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline] [<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752 [<ffffffff8274af6a>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782 [<ffffffff8274b786>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899 [<ffffffff82747c87>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427 [<ffffffff8274b352>] __device_attach+0x122/0x260 drivers/base/dd.c:970 [<ffffffff827498f6>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487 [<ffffffff82745cdb>] device_add+0x5fb/0xdf0 drivers/base/core.c:3405 [<ffffffff82d3d202>] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170 [<ffffffff82d4dbfc>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<ffffffff82d3f49c>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline] [<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 [<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline] [<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/17217737c174883dd975885ab4bee4b00f517239
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/21b6b0c9f3796e6917e90db403dae9e74025fc40
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/733bc9e226da2a7f43b10031b8ebfc26d89ec4bd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7d7ab25ead969594df05fb09ee46ca931d46c5c8
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/93bbf2ed428142aa9a9693721230b28571678bf8
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/94d90fb06b94a90c176270d38861bcba34ce377d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d0af6220bb1eed8225a5511de5a3bd386b94afa4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e5a49140035591d13ff57a7537c65217e5af0d15
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e5d01eb6dc2f699a395d3e731c58a9b3bb4e269f
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-usb: fix memory leak in dvb_usb_adapter_init()\n\nSyzbot reports a memory leak in \"dvb_usb_adapter_init()\".\nThe leak is due to not accounting for and freeing current iteration\u0027s\nadapter-\u003epriv in case of an error. Currently if an error occurs,\nit will exit before incrementing \"num_adapters_initalized\",\nwhich is used as a reference counter to free all adap-\u003epriv\nin \"dvb_usb_adapter_exit()\". There are multiple error paths that\ncan exit from before incrementing the counter. Including the\nerror handling paths for \"dvb_usb_adapter_stream_init()\",\n\"dvb_usb_adapter_dvb_init()\" and \"dvb_usb_adapter_frontend_init()\"\nwithin \"dvb_usb_adapter_init()\".\n\nThis means that in case of an error in any of these functions the\ncurrent iteration is not accounted for and the current iteration\u0027s\nadap-\u003epriv is not freed.\n\nFix this by freeing the current iteration\u0027s adap-\u003epriv in the\n\"stream_init_err:\" label in the error path. The rest of the\n(accounted for) adap-\u003epriv objects are freed in dvb_usb_adapter_exit()\nas expected using the num_adapters_initalized variable.\n\nSyzbot report:\n\nBUG: memory leak\nunreferenced object 0xffff8881172f1a00 (size 512):\n  comm \"kworker/0:2\", pid 139, jiffies 4294994873 (age 10.960s)\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\nbacktrace:\n    [\u003cffffffff844af012\u003e] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline]\n    [\u003cffffffff844af012\u003e] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]\n    [\u003cffffffff844af012\u003e] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308\n    [\u003cffffffff830db21d\u003e] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883\n    [\u003cffffffff82d3fdc7\u003e] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396\n    [\u003cffffffff8274ab37\u003e] call_driver_probe drivers/base/dd.c:542 [inline]\n    [\u003cffffffff8274ab37\u003e] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621\n    [\u003cffffffff8274ae6c\u003e] really_probe drivers/base/dd.c:583 [inline]\n    [\u003cffffffff8274ae6c\u003e] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752\n    [\u003cffffffff8274af6a\u003e] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782\n    [\u003cffffffff8274b786\u003e] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899\n    [\u003cffffffff82747c87\u003e] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427\n    [\u003cffffffff8274b352\u003e] __device_attach+0x122/0x260 drivers/base/dd.c:970\n    [\u003cffffffff827498f6\u003e] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487\n    [\u003cffffffff82745cdb\u003e] device_add+0x5fb/0xdf0 drivers/base/core.c:3405\n    [\u003cffffffff82d3d202\u003e] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170\n    [\u003cffffffff82d4dbfc\u003e] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238\n    [\u003cffffffff82d3f49c\u003e] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293\n    [\u003cffffffff8274ab37\u003e] call_driver_probe drivers/base/dd.c:542 [inline]\n    [\u003cffffffff8274ab37\u003e] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621\n    [\u003cffffffff8274ae6c\u003e] really_probe drivers/base/dd.c:583 [inline]\n    [\u003cffffffff8274ae6c\u003e] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752"
    }
  ],
  "id": "CVE-2022-50626",
  "lastModified": "2025-12-08T18:26:19.900",
  "metrics": {},
  "published": "2025-12-08T02:15:48.653",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/17217737c174883dd975885ab4bee4b00f517239"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/21b6b0c9f3796e6917e90db403dae9e74025fc40"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/733bc9e226da2a7f43b10031b8ebfc26d89ec4bd"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7d7ab25ead969594df05fb09ee46ca931d46c5c8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/93bbf2ed428142aa9a9693721230b28571678bf8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/94d90fb06b94a90c176270d38861bcba34ce377d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d0af6220bb1eed8225a5511de5a3bd386b94afa4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e5a49140035591d13ff57a7537c65217e5af0d15"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e5d01eb6dc2f699a395d3e731c58a9b3bb4e269f"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.