summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--recipes-kernel/linux/files/CVE-2016-5400.patch57
-rw-r--r--recipes-kernel/linux/linux-yocto_4.%.bbappend1
2 files changed, 58 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/CVE-2016-5400.patch b/recipes-kernel/linux/files/CVE-2016-5400.patch
new file mode 100644
index 0000000..dd62bcd
--- /dev/null
+++ b/recipes-kernel/linux/files/CVE-2016-5400.patch
@@ -0,0 +1,57 @@
1From d863bec646a590584eabcb40550bff0708c26b0d Mon Sep 17 00:00:00 2001
2From: James Patrick-Evans <james@jmp-e.com>
3Date: Fri, 15 Jul 2016 16:40:45 +0100
4Subject: media: fix airspy usb probe error path
5
6commit aa93d1fee85c890a34f2510a310e55ee76a27848 upstream.
7
8Fix a memory leak on probe error of the airspy usb device driver.
9
10The problem is triggered when more than 64 usb devices register with
11v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.
12
13The memory leak is caused by the probe function of the airspy driver
14mishandeling errors and not freeing the corresponding control structures
15when an error occours registering the device to v4l2 core.
16
17A badusb device can emulate 64 of these devices, and then through
18continual emulated connect/disconnect of the 65th device, cause the
19kernel to run out of RAM and crash the kernel, thus causing a local DOS
20vulnerability.
21
22Fixes CVE-2016-5400
23CVE: CVE-2016-5400
24
25Signed-off-by: James Patrick-Evans <james@jmp-e.com>
26Reviewed-by: Kees Cook <keescook@chromium.org>
27Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
28Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
29Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
30---
31 drivers/media/usb/airspy/airspy.c | 3 +--
32 1 file changed, 1 insertion(+), 2 deletions(-)
33
34diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c
35index 565a593..34b35eb 100644
36--- a/drivers/media/usb/airspy/airspy.c
37+++ b/drivers/media/usb/airspy/airspy.c
38@@ -1073,7 +1073,7 @@ static int airspy_probe(struct usb_interface *intf,
39 if (ret) {
40 dev_err(s->dev, "Failed to register as video device (%d)\n",
41 ret);
42- goto err_unregister_v4l2_dev;
43+ goto err_free_controls;
44 }
45 dev_info(s->dev, "Registered as %s\n",
46 video_device_node_name(&s->vdev));
47@@ -1082,7 +1082,6 @@ static int airspy_probe(struct usb_interface *intf,
48
49 err_free_controls:
50 v4l2_ctrl_handler_free(&s->hdl);
51-err_unregister_v4l2_dev:
52 v4l2_device_unregister(&s->v4l2_dev);
53 err_free_mem:
54 kfree(s);
55--
56cgit v0.12
57
diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend b/recipes-kernel/linux/linux-yocto_4.%.bbappend
index c2eff00..a81ff39 100644
--- a/recipes-kernel/linux/linux-yocto_4.%.bbappend
+++ b/recipes-kernel/linux/linux-yocto_4.%.bbappend
@@ -7,6 +7,7 @@ SRC_URI += "file://hid-CVE-2016-5829.patch \
7 file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \ 7 file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \
8 file://CVE-2016-4951.patch \ 8 file://CVE-2016-4951.patch \
9 file://CVE-2016-5195.patch \ 9 file://CVE-2016-5195.patch \
10 file://CVE-2016-5400.patch \
10 " 11 "
11 12
12ENEA_KERNEL_FRAGMENTS += "\ 13ENEA_KERNEL_FRAGMENTS += "\