diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-11-01 15:01:06 +0100 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2016-11-01 16:25:41 +0100 |
commit | 9a717c218cd0e5b531c2c2d3e17ae4e9372326c0 (patch) | |
tree | d5ad3a4ca0cd843eebf3f0dbd8399d84eac4466c /recipes-kernel/linux/files | |
parent | 7914c3cba2645ff204e252d1cfc83937aebb0f78 (diff) | |
download | meta-enea-bsp-common-9a717c218cd0e5b531c2c2d3e17ae4e9372326c0.tar.gz |
kernel-media: CVE-2016-5400
Fixes airspy usb probe error path
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5400
Reference to upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=d863bec646a590584eabcb40550bff0708c26b0d
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-kernel/linux/files')
-rw-r--r-- | recipes-kernel/linux/files/CVE-2016-5400.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/CVE-2016-5400.patch b/recipes-kernel/linux/files/CVE-2016-5400.patch new file mode 100644 index 0000000..dd62bcd --- /dev/null +++ b/recipes-kernel/linux/files/CVE-2016-5400.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From d863bec646a590584eabcb40550bff0708c26b0d Mon Sep 17 00:00:00 2001 | ||
2 | From: James Patrick-Evans <james@jmp-e.com> | ||
3 | Date: Fri, 15 Jul 2016 16:40:45 +0100 | ||
4 | Subject: media: fix airspy usb probe error path | ||
5 | |||
6 | commit aa93d1fee85c890a34f2510a310e55ee76a27848 upstream. | ||
7 | |||
8 | Fix a memory leak on probe error of the airspy usb device driver. | ||
9 | |||
10 | The problem is triggered when more than 64 usb devices register with | ||
11 | v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV. | ||
12 | |||
13 | The memory leak is caused by the probe function of the airspy driver | ||
14 | mishandeling errors and not freeing the corresponding control structures | ||
15 | when an error occours registering the device to v4l2 core. | ||
16 | |||
17 | A badusb device can emulate 64 of these devices, and then through | ||
18 | continual emulated connect/disconnect of the 65th device, cause the | ||
19 | kernel to run out of RAM and crash the kernel, thus causing a local DOS | ||
20 | vulnerability. | ||
21 | |||
22 | Fixes CVE-2016-5400 | ||
23 | CVE: CVE-2016-5400 | ||
24 | |||
25 | Signed-off-by: James Patrick-Evans <james@jmp-e.com> | ||
26 | Reviewed-by: Kees Cook <keescook@chromium.org> | ||
27 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
28 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
29 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
30 | --- | ||
31 | drivers/media/usb/airspy/airspy.c | 3 +-- | ||
32 | 1 file changed, 1 insertion(+), 2 deletions(-) | ||
33 | |||
34 | diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c | ||
35 | index 565a593..34b35eb 100644 | ||
36 | --- a/drivers/media/usb/airspy/airspy.c | ||
37 | +++ b/drivers/media/usb/airspy/airspy.c | ||
38 | @@ -1073,7 +1073,7 @@ static int airspy_probe(struct usb_interface *intf, | ||
39 | if (ret) { | ||
40 | dev_err(s->dev, "Failed to register as video device (%d)\n", | ||
41 | ret); | ||
42 | - goto err_unregister_v4l2_dev; | ||
43 | + goto err_free_controls; | ||
44 | } | ||
45 | dev_info(s->dev, "Registered as %s\n", | ||
46 | video_device_node_name(&s->vdev)); | ||
47 | @@ -1082,7 +1082,6 @@ static int airspy_probe(struct usb_interface *intf, | ||
48 | |||
49 | err_free_controls: | ||
50 | v4l2_ctrl_handler_free(&s->hdl); | ||
51 | -err_unregister_v4l2_dev: | ||
52 | v4l2_device_unregister(&s->v4l2_dev); | ||
53 | err_free_mem: | ||
54 | kfree(s); | ||
55 | -- | ||
56 | cgit v0.12 | ||
57 | |||