CVE-2022-41218 Driver uses refcount races to affect dvb_demux_open and dvb_dmxdev_release.

Due to limitation in the API, when doing a dvb_demux_close(device) followed by a dvb_device_get(device) from the same device, the latter will fail with: dvb_demux_close(device) =========== ... refcount with dvb_device_get() = 1 dvb_device_get(device) ============== device is freed It happens because dvb_device_get() increments the reference count, but dvb_demux_close() does not decrement it. This issue does not exist in dvb_demux_open(). CVE-2018-7726 It is recommended to upgrade to these new kernel versions, which resolve this issue: Red Hat Enterprise Linux 7.5 (RHEA) - https://rhn.redhat.com/errata/RHSA-2018-1852/ Debian 9 (stretch) - https://www.debian.org/security/ Red Hat Enterprise Linux 6.9 (Reisa) - https://rhn.redhat.com/errata/RHSA-2018-1851/ Debian 8 (jessie) - https://www.debian.org/security/ Red Hat Enterprise Linux 6.8 (Anaconda) - https://rhn.redhat.com/errata/RHSA-2018-1850/ Debian 7 (wheezy

References: CVE-2022-41218

https://bugzilla.redhat.com/show_bug.cgi?id=1041384
CVE-2018-7726
https://bugzilla.redhat.com/show_bug.cgi?id=1644836

The kernel packages contain the following major components: kernel, kernel-rt and kernel-debug.

The kernel packages contain the following major components: kernel, kernel-rt and kernel-debug.

Timeline

Published on: 09/21/2022 07:15:00 UTC
Last modified on: 09/24/2022 15:15:00 UTC

References

• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/media/dvb-core/dmxdev.c
• https://lore.kernel.org/all/20220908132754.30532-1-tiwai@suse.de/
• http://www.openwall.com/lists/oss-security/2022/09/23/4
• http://www.openwall.com/lists/oss-security/2022/09/24/1
• http://www.openwall.com/lists/oss-security/2022/09/24/2
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41218