diff options
Diffstat (limited to 'recipes-kernel')
-rw-r--r-- | recipes-kernel/linux/files/CVE-2016-5400.patch | 57 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-yocto_4.%.bbappend | 1 |
2 files changed, 58 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/CVE-2016-5400.patch b/recipes-kernel/linux/files/CVE-2016-5400.patch new file mode 100644 index 0000000..dd62bcd --- /dev/null +++ b/recipes-kernel/linux/files/CVE-2016-5400.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From d863bec646a590584eabcb40550bff0708c26b0d Mon Sep 17 00:00:00 2001 | ||
2 | From: James Patrick-Evans <james@jmp-e.com> | ||
3 | Date: Fri, 15 Jul 2016 16:40:45 +0100 | ||
4 | Subject: media: fix airspy usb probe error path | ||
5 | |||
6 | commit aa93d1fee85c890a34f2510a310e55ee76a27848 upstream. | ||
7 | |||
8 | Fix a memory leak on probe error of the airspy usb device driver. | ||
9 | |||
10 | The problem is triggered when more than 64 usb devices register with | ||
11 | v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV. | ||
12 | |||
13 | The memory leak is caused by the probe function of the airspy driver | ||
14 | mishandeling errors and not freeing the corresponding control structures | ||
15 | when an error occours registering the device to v4l2 core. | ||
16 | |||
17 | A badusb device can emulate 64 of these devices, and then through | ||
18 | continual emulated connect/disconnect of the 65th device, cause the | ||
19 | kernel to run out of RAM and crash the kernel, thus causing a local DOS | ||
20 | vulnerability. | ||
21 | |||
22 | Fixes CVE-2016-5400 | ||
23 | CVE: CVE-2016-5400 | ||
24 | |||
25 | Signed-off-by: James Patrick-Evans <james@jmp-e.com> | ||
26 | Reviewed-by: Kees Cook <keescook@chromium.org> | ||
27 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
28 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
29 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
30 | --- | ||
31 | drivers/media/usb/airspy/airspy.c | 3 +-- | ||
32 | 1 file changed, 1 insertion(+), 2 deletions(-) | ||
33 | |||
34 | diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c | ||
35 | index 565a593..34b35eb 100644 | ||
36 | --- a/drivers/media/usb/airspy/airspy.c | ||
37 | +++ b/drivers/media/usb/airspy/airspy.c | ||
38 | @@ -1073,7 +1073,7 @@ static int airspy_probe(struct usb_interface *intf, | ||
39 | if (ret) { | ||
40 | dev_err(s->dev, "Failed to register as video device (%d)\n", | ||
41 | ret); | ||
42 | - goto err_unregister_v4l2_dev; | ||
43 | + goto err_free_controls; | ||
44 | } | ||
45 | dev_info(s->dev, "Registered as %s\n", | ||
46 | video_device_node_name(&s->vdev)); | ||
47 | @@ -1082,7 +1082,6 @@ static int airspy_probe(struct usb_interface *intf, | ||
48 | |||
49 | err_free_controls: | ||
50 | v4l2_ctrl_handler_free(&s->hdl); | ||
51 | -err_unregister_v4l2_dev: | ||
52 | v4l2_device_unregister(&s->v4l2_dev); | ||
53 | err_free_mem: | ||
54 | kfree(s); | ||
55 | -- | ||
56 | cgit v0.12 | ||
57 | |||
diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend b/recipes-kernel/linux/linux-yocto_4.%.bbappend index c2eff00..a81ff39 100644 --- a/recipes-kernel/linux/linux-yocto_4.%.bbappend +++ b/recipes-kernel/linux/linux-yocto_4.%.bbappend | |||
@@ -7,6 +7,7 @@ SRC_URI += "file://hid-CVE-2016-5829.patch \ | |||
7 | file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \ | 7 | file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \ |
8 | file://CVE-2016-4951.patch \ | 8 | file://CVE-2016-4951.patch \ |
9 | file://CVE-2016-5195.patch \ | 9 | file://CVE-2016-5195.patch \ |
10 | file://CVE-2016-5400.patch \ | ||
10 | " | 11 | " |
11 | 12 | ||
12 | ENEA_KERNEL_FRAGMENTS += "\ | 13 | ENEA_KERNEL_FRAGMENTS += "\ |