CVE-2022-50725

In the Linux kernel, the following vulnerability has been resolved:

media: vidtv: Fix use-after-free in vidtvbridgedvb_init()

KASAN reports a use-after-free: BUG: KASAN: use-after-free in dvbdmxdevrelease+0x4d5/0x5d0 [dvbcore] Call Trace: ... dvbdmxdevrelease+0x4d5/0x5d0 [dvbcore] vidtvbridgeprobe+0x7bf/0xa40 [dvbvidtvbridge] platformprobe+0xb6/0x170 ... Allocated by task 1238: ... dvbregisterdevice+0x1a7/0xa70 [dvbcore] dvbdmxdevinit+0x2af/0x4a0 [dvbcore] vidtvbridgeprobe+0x766/0xa40 [dvbvidtvbridge] ... Freed by task 1238: dvbregisterdevice+0x6d2/0xa70 [dvbcore] dvbdmxdevinit+0x2af/0x4a0 [dvbcore] vidtvbridgeprobe+0x766/0xa40 [dvbvidtv_bridge] ...

It is because the error handling in vidtvbridgedvb_init() is wrong.

First, vidtvbridgedmx(dev)init() will clean themselves when fail, but goto faildmx(_dev): calls release functions again, which causes use-after-free.

Also, in failfe, failtunerprobe and faildemodprobe, j = i will cause out-of-bound when i finished its loop (i == NUMFE). And the loop releasing is wrong, although now NUM_FE is 1 so it won't cause problem.

Fix this by correctly releasing everything.