From 9a717c218cd0e5b531c2c2d3e17ae4e9372326c0 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Tue, 1 Nov 2016 15:01:06 +0100 Subject: kernel-media: CVE-2016-5400 Fixes airspy usb probe error path Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5400 Reference to upstream patch: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=d863bec646a590584eabcb40550bff0708c26b0d Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- recipes-kernel/linux/files/CVE-2016-5400.patch | 57 ++++++++++++++++++++++++++ recipes-kernel/linux/linux-yocto_4.%.bbappend | 1 + 2 files changed, 58 insertions(+) create mode 100644 recipes-kernel/linux/files/CVE-2016-5400.patch diff --git a/recipes-kernel/linux/files/CVE-2016-5400.patch b/recipes-kernel/linux/files/CVE-2016-5400.patch new file mode 100644 index 0000000..dd62bcd --- /dev/null +++ b/recipes-kernel/linux/files/CVE-2016-5400.patch @@ -0,0 +1,57 @@ +From d863bec646a590584eabcb40550bff0708c26b0d Mon Sep 17 00:00:00 2001 +From: James Patrick-Evans +Date: Fri, 15 Jul 2016 16:40:45 +0100 +Subject: media: fix airspy usb probe error path + +commit aa93d1fee85c890a34f2510a310e55ee76a27848 upstream. + +Fix a memory leak on probe error of the airspy usb device driver. + +The problem is triggered when more than 64 usb devices register with +v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV. + +The memory leak is caused by the probe function of the airspy driver +mishandeling errors and not freeing the corresponding control structures +when an error occours registering the device to v4l2 core. + +A badusb device can emulate 64 of these devices, and then through +continual emulated connect/disconnect of the 65th device, cause the +kernel to run out of RAM and crash the kernel, thus causing a local DOS +vulnerability. + +Fixes CVE-2016-5400 +CVE: CVE-2016-5400 + +Signed-off-by: James Patrick-Evans +Reviewed-by: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + drivers/media/usb/airspy/airspy.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c +index 565a593..34b35eb 100644 +--- a/drivers/media/usb/airspy/airspy.c ++++ b/drivers/media/usb/airspy/airspy.c +@@ -1073,7 +1073,7 @@ static int airspy_probe(struct usb_interface *intf, + if (ret) { + dev_err(s->dev, "Failed to register as video device (%d)\n", + ret); +- goto err_unregister_v4l2_dev; ++ goto err_free_controls; + } + dev_info(s->dev, "Registered as %s\n", + video_device_node_name(&s->vdev)); +@@ -1082,7 +1082,6 @@ static int airspy_probe(struct usb_interface *intf, + + err_free_controls: + v4l2_ctrl_handler_free(&s->hdl); +-err_unregister_v4l2_dev: + v4l2_device_unregister(&s->v4l2_dev); + err_free_mem: + kfree(s); +-- +cgit v0.12 + diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend b/recipes-kernel/linux/linux-yocto_4.%.bbappend index c2eff00..a81ff39 100644 --- a/recipes-kernel/linux/linux-yocto_4.%.bbappend +++ b/recipes-kernel/linux/linux-yocto_4.%.bbappend @@ -7,6 +7,7 @@ SRC_URI += "file://hid-CVE-2016-5829.patch \ file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \ file://CVE-2016-4951.patch \ file://CVE-2016-5195.patch \ + file://CVE-2016-5400.patch \ " ENEA_KERNEL_FRAGMENTS += "\ -- cgit v1.2.3-54-g00ecf