| The vulnerability is a memory leak in the `zr364xx_start_readpipe` function of the `zr364xx` driver, which occurs when `usb_submit_urb()` fails. The problem lies in the non-freed URB (USB Request Block) in this failure scenario. |
| |
| When `usb_submit_urb()` fails, the URB is not freed, leading to a memory leak. This can be observed through the backtrace provided, where `kmalloc` is called from `usb_alloc_urb`, which is then called from `zr364xx_start_readpipe`. The `zr364xx_probe` function also plays a role in this issue. |
| |
| This vulnerability was introduced in kernel version 2.6.32 with commit `ccbf035ae5de` and has been fixed in various kernel versions, including 4.4.276, 4.9.276, 4.14.240, 4.19.198, 5.4.133, 5.10.51, 5.12.18, 5.13.3, and 5.14. |
| |
| The affected file is `drivers/media/usb/zr364xx/zr364xx.c`. The mitigation for this issue is to update to the latest stable kernel version. If updating is not possible, individual changes can be cherry-picked from the provided commits. However, it's recommended to avoid cherry-picking individual commits and instead use a supported kernel version. |
| |
