[PATCH 1/1] subsystem:linux-media CVE-2016-5400

public inbox for linux-media@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 1/1] subsystem:linux-media CVE-2016-5400
@ 2016-07-15 15:40 James Patrick-Evans
  2016-07-15 18:52 ` Kees Cook
  2016-07-15 21:17 ` Linus Torvalds
  0 siblings, 2 replies; 4+ messages in thread
From: James Patrick-Evans @ 2016-07-15 15:40 UTC (permalink / raw)
  To: mchehab; +Cc: crope, linux-media, security

This patch addresses CVE-2016-5400, a local DOS vulnerability caused by a 
memory leak in the airspy usb device driver. The vulnerability is triggered 
when more than 64 usb devices register with v4l2 of type VFL_TYPE_SDR or 
VFL_TYPE_SUBDEV.A badusb device can emulate 64 of these devices then 
through continual emulated connect/disconnect of the 65th device, cause the 
kernel to run out of RAM and crash the kernel. The vulnerability exists in 
kernel versions from 3.17 to current 4.7.
The memory leak is caused by the probe function of the airspy driver 
mishandeling errors and not freeing the corresponding control structures 
when an error occours registering the device to v4l2 core.

Signed-off-by: James Patrick-Evans <james@jmp-e.com>
---
  drivers/media/usb/airspy/airspy.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c
index 87c1293..6c3ac8b 100644
--- a/drivers/media/usb/airspy/airspy.c
+++ b/drivers/media/usb/airspy/airspy.c
@@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf,
  	if (ret) {
  		dev_err(s->dev, "Failed to register as video device (%d)\n",
  				ret);
-		goto err_unregister_v4l2_dev;
+		goto err_free_controls;
  	}
  	dev_info(s->dev, "Registered as %s\n",
  			video_device_node_name(&s->vdev));
-- 
1.9.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/1] subsystem:linux-media CVE-2016-5400
  2016-07-15 15:40 [PATCH 1/1] subsystem:linux-media CVE-2016-5400 James Patrick-Evans
@ 2016-07-15 18:52 ` Kees Cook
  2016-07-15 18:57   ` Kees Cook
  2016-07-15 21:17 ` Linus Torvalds
  1 sibling, 1 reply; 4+ messages in thread
From: Kees Cook @ 2016-07-15 18:52 UTC (permalink / raw)
  To: James Patrick-Evans
  Cc: mchehab, Antti Palosaari, linux-media, security@kernel.org

On Fri, Jul 15, 2016 at 8:40 AM, James Patrick-Evans <james@jmp-e.com> wrote:
> This patch addresses CVE-2016-5400, a local DOS vulnerability caused by a
> memory leak in the airspy usb device driver. The vulnerability is triggered
> when more than 64 usb devices register with v4l2 of type VFL_TYPE_SDR or
> VFL_TYPE_SUBDEV.A badusb device can emulate 64 of these devices then through
> continual emulated connect/disconnect of the 65th device, cause the kernel
> to run out of RAM and crash the kernel. The vulnerability exists in kernel
> versions from 3.17 to current 4.7.
> The memory leak is caused by the probe function of the airspy driver
> mishandeling errors and not freeing the corresponding control structures
> when an error occours registering the device to v4l2 core.

Thanks for getting this fixed!

> Signed-off-by: James Patrick-Evans <james@jmp-e.com>

Reviewed-by: Kees Cook <keescook@chromium.org>

> ---
>  drivers/media/usb/airspy/airspy.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/airspy/airspy.c
> b/drivers/media/usb/airspy/airspy.c
> index 87c1293..6c3ac8b 100644
> --- a/drivers/media/usb/airspy/airspy.c
> +++ b/drivers/media/usb/airspy/airspy.c
> @@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf,
>         if (ret) {
>                 dev_err(s->dev, "Failed to register as video device (%d)\n",
>                                 ret);
> -               goto err_unregister_v4l2_dev;
> +               goto err_free_controls;
>         }
>         dev_info(s->dev, "Registered as %s\n",
>                         video_device_node_name(&s->vdev));
> --
> 1.9.1
>

-Kees

-- 
Kees Cook
Brillo & Chrome OS Security

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/1] subsystem:linux-media CVE-2016-5400
  2016-07-15 18:52 ` Kees Cook
@ 2016-07-15 18:57   ` Kees Cook
  0 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2016-07-15 18:57 UTC (permalink / raw)
  To: James Patrick-Evans
  Cc: Antti Palosaari, linux-media, security@kernel.org,
	Mauro Carvalho Chehab

[fixing Mauro's email...]

On Fri, Jul 15, 2016 at 11:52 AM, Kees Cook <keescook@google.com> wrote:
> On Fri, Jul 15, 2016 at 8:40 AM, James Patrick-Evans <james@jmp-e.com> wrote:
>> This patch addresses CVE-2016-5400, a local DOS vulnerability caused by a
>> memory leak in the airspy usb device driver. The vulnerability is triggered
>> when more than 64 usb devices register with v4l2 of type VFL_TYPE_SDR or
>> VFL_TYPE_SUBDEV.A badusb device can emulate 64 of these devices then through
>> continual emulated connect/disconnect of the 65th device, cause the kernel
>> to run out of RAM and crash the kernel. The vulnerability exists in kernel
>> versions from 3.17 to current 4.7.
>> The memory leak is caused by the probe function of the airspy driver
>> mishandeling errors and not freeing the corresponding control structures
>> when an error occours registering the device to v4l2 core.
>
> Thanks for getting this fixed!
>
>> Signed-off-by: James Patrick-Evans <james@jmp-e.com>
>
> Reviewed-by: Kees Cook <keescook@chromium.org>
>
>> ---
>>  drivers/media/usb/airspy/airspy.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/media/usb/airspy/airspy.c
>> b/drivers/media/usb/airspy/airspy.c
>> index 87c1293..6c3ac8b 100644
>> --- a/drivers/media/usb/airspy/airspy.c
>> +++ b/drivers/media/usb/airspy/airspy.c
>> @@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf,
>>         if (ret) {
>>                 dev_err(s->dev, "Failed to register as video device (%d)\n",
>>                                 ret);
>> -               goto err_unregister_v4l2_dev;
>> +               goto err_free_controls;
>>         }
>>         dev_info(s->dev, "Registered as %s\n",
>>                         video_device_node_name(&s->vdev));
>> --
>> 1.9.1
>>
>
> -Kees
>
> --
> Kees Cook
> Brillo & Chrome OS Security



-- 
Kees Cook
Brillo & Chrome OS Security

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/1] subsystem:linux-media CVE-2016-5400
  2016-07-15 15:40 [PATCH 1/1] subsystem:linux-media CVE-2016-5400 James Patrick-Evans
  2016-07-15 18:52 ` Kees Cook
@ 2016-07-15 21:17 ` Linus Torvalds
  1 sibling, 0 replies; 4+ messages in thread
From: Linus Torvalds @ 2016-07-15 21:17 UTC (permalink / raw)
  To: James Patrick-Evans; +Cc: mchehab, crope, linux-media, security



On Fri, 15 Jul 2016, James Patrick-Evans wrote:
>
> The memory leak is caused by the probe function of the airspy driver
> mishandeling errors and not freeing the corresponding control structures when
> an error occours registering the device to v4l2 core.

The patch causes a warning about the now unused label.

I fixed that and cleaned up the commit message, and applied the end 
result.

          Linus

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-07-15 21:17 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-15 15:40 [PATCH 1/1] subsystem:linux-media CVE-2016-5400 James Patrick-Evans
2016-07-15 18:52 ` Kees Cook
2016-07-15 18:57   ` Kees Cook
2016-07-15 21:17 ` Linus Torvalds

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox