From: James Patrick-Evans <james@jmp-e.com>
To: mchehab@redhat.com
Cc: crope@iki.fi, linux-media@vger.kernel.org, security@kernel.org
Subject: [PATCH 1/1] subsystem:linux-media CVE-2016-5400
Date: Fri, 15 Jul 2016 16:40:45 +0100 [thread overview]
Message-ID: <20160715154004.GA840@ThinkPad-X200> (raw)
This patch addresses CVE-2016-5400, a local DOS vulnerability caused by a
memory leak in the airspy usb device driver. The vulnerability is triggered
when more than 64 usb devices register with v4l2 of type VFL_TYPE_SDR or
VFL_TYPE_SUBDEV.A badusb device can emulate 64 of these devices then
through continual emulated connect/disconnect of the 65th device, cause the
kernel to run out of RAM and crash the kernel. The vulnerability exists in
kernel versions from 3.17 to current 4.7.
The memory leak is caused by the probe function of the airspy driver
mishandeling errors and not freeing the corresponding control structures
when an error occours registering the device to v4l2 core.
Signed-off-by: James Patrick-Evans <james@jmp-e.com>
---
drivers/media/usb/airspy/airspy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c
index 87c1293..6c3ac8b 100644
--- a/drivers/media/usb/airspy/airspy.c
+++ b/drivers/media/usb/airspy/airspy.c
@@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf,
if (ret) {
dev_err(s->dev, "Failed to register as video device (%d)\n",
ret);
- goto err_unregister_v4l2_dev;
+ goto err_free_controls;
}
dev_info(s->dev, "Registered as %s\n",
video_device_node_name(&s->vdev));
--
1.9.1
next reply other threads:[~2016-07-15 15:50 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-15 15:40 James Patrick-Evans [this message]
2016-07-15 18:52 ` [PATCH 1/1] subsystem:linux-media CVE-2016-5400 Kees Cook
2016-07-15 18:57 ` Kees Cook
2016-07-15 21:17 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160715154004.GA840@ThinkPad-X200 \
--to=james@jmp-e.com \
--cc=crope@iki.fi \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@redhat.com \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox