CVE-2023-52989

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region<br /> <br /> This patch is fix for Linux kernel v2.6.33 or later.<br /> <br /> For request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem<br /> have had an issue of use-after-free. The subsystem allows multiple<br /> user space listeners to the region, while data of the payload was likely<br /> released before the listeners execute read(2) to access to it for copying<br /> to user space.<br /> <br /> The issue was fixed by a commit 281e20323ab7 ("firewire: core: fix<br /> use-after-free regression in FCP handler"). The object of payload is<br /> duplicated in kernel space for each listener. When the listener executes<br /> ioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to<br /> be released.<br /> <br /> However, it causes memory leak since the commit relies on call of<br /> release_request() in drivers/firewire/core-cdev.c. Against the<br /> expectation, the function is never called due to the design of<br /> release_client_resource(). The function delegates release task<br /> to caller when called with non-NULL fourth argument. The implementation<br /> of ioctl_send_response() is the case. It should release the object<br /> explicitly.<br /> <br /> This commit fixes the bug.