Linux Kernel Vidtv Memory Ownership Transfer Vulnerability Leading to Use-After-Free and Double-Free

A vulnerability in the Linux kernel's Vidtv driver has been addressed, concerning improper initialization of local pointers during the transfer of memory ownership. The issue arises in the 'vidtv_channel_si_init()' function, which creates temporary lists for programs, services, and events. Ownership of this memory is transferred to the PAT, SDT, and EIT tables. However, the local pointers that handle this transfer are not initialized to NULL, leading to a use-after-free and double-free vulnerability. This flaw allows the 'vidtv_psi_pmt_create_sec_for_each_pat_entry()' function to fail, and subsequently, memory freed by 'vidtv_psi_*_table_destroy()' can be accessed again and freed once more, creating potential instability or exploitation opportunities.

Impact

The vulnerability can be exploited to cause a use-after-free condition, leading to memory corruption, and a double-free situation, which can also be exploited to manipulate memory management, potentially causing further exploitation.

Reproduction

The vulnerability can be reproduced by calling the 'vidtv_channel_si_init()' function without properly initializing the local pointers for programs, services, and events. This can be done by transferring memory ownership to the PAT, SDT, and EIT tables without first setting the local pointers to NULL. As a result, the 'vidtv_psi_pmt_create_sec_for_each_pat_entry()' function will fail, and the uninitialized pointer will cause memory to be freed twice, creating a use-after-free and double-free vulnerability.

Remediation

The vulnerability has been fixed by modifying the 'vidtv_channel_si_init()' function to initialize the local pointers to NULL before transferring memory ownership to the PAT, SDT, and EIT tables.