CVE-2016-5400 Fix memory leak in airspy driver
This commit is contained in:
parent
d0b2d44c4f
commit
8cbf5a1acd
|
@ -0,0 +1,40 @@
|
|||
From 785ef73dba6e9fefd2e5dd24546e0efa8698e5cd Mon Sep 17 00:00:00 2001
|
||||
From: James Patrick-Evans <james@jmp-e.com>
|
||||
Date: Fri, 15 Jul 2016 12:40:45 -0300
|
||||
Subject: [media] airspy: fix error logic during device register
|
||||
|
||||
This patch addresses CVE-2016-5400, a local DOS vulnerability caused by
|
||||
a memory leak in the airspy usb device driver.
|
||||
|
||||
The vulnerability is triggered when more than 64 usb devices register
|
||||
with v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.A badusb device can
|
||||
emulate 64 of these devices then through continual emulated
|
||||
connect/disconnect of the 65th device, cause the kernel to run out of
|
||||
RAM and crash the kernel.
|
||||
|
||||
The vulnerability exists in kernel versions from 3.17 to current 4.7.
|
||||
|
||||
The memory leak is caused by the probe function of the airspy driver
|
||||
mishandeling errors and not freeing the corresponding control structures
|
||||
when an error occours registering the device to v4l2 core.
|
||||
|
||||
Signed-off-by: James Patrick-Evans <james@jmp-e.com>
|
||||
Cc: stable@vger.kernel.org # Up to Kernel 3.17
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
||||
|
||||
diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c
|
||||
index d807d58..19cd64c 100644
|
||||
--- a/drivers/media/usb/airspy/airspy.c
|
||||
+++ b/drivers/media/usb/airspy/airspy.c
|
||||
@@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf,
|
||||
if (ret) {
|
||||
dev_err(s->dev, "Failed to register as video device (%d)\n",
|
||||
ret);
|
||||
- goto err_unregister_v4l2_dev;
|
||||
+ goto err_free_controls;
|
||||
}
|
||||
dev_info(s->dev, "Registered as %s\n",
|
||||
video_device_node_name(&s->vdev));
|
||||
--
|
||||
cgit v0.10.2
|
||||
|
|
@ -676,6 +676,9 @@ Patch836: drm-amdgpu-Disable-RPM-helpers-while-reprobing.patch
|
|||
Patch837: drm-i915-skl-Add-support-for-the-SAGV-fix-underrun-hangs.patch
|
||||
Patch838: Revert-ALSA-hda-remove-controller-dependency-on-i915.patch
|
||||
|
||||
#CVE-2016-5400 rhbz 1358184 1358186
|
||||
Patch840: airspy-fix-error-logic-during-device-register.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2196,6 +2199,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Jul 25 2016 Justin Forbes <jforbes@fedoraproject.org>
|
||||
- CVE-2016-5400 Fix memory leak in airspy driver (rhbz 1358184 1358186)
|
||||
|
||||
* Thu Jul 14 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix various i915 uncore oopses (rhbz 1340218 1325020 1342722 1347681)
|
||||
|
||||
|
|
Loading…
Reference in New Issue