diff options
| author | Justin M. Forbes <jforbes@redhat.com> | 2016-07-25 12:36:09 -0500 |
|---|---|---|
| committer | Justin M. Forbes <jforbes@redhat.com> | 2016-07-25 12:36:09 -0500 |
| commit | 8cbf5a1acdfc884d1556fb835398530d3a8c1d6b (patch) | |
| tree | 79df472efac4a406c99a47595ffffa49cc871a44 | |
| parent | d0b2d44c4fce37700766991fdc9eb1e4d0415231 (diff) | |
| download | kernel-8cbf5a1acdfc884d1556fb835398530d3a8c1d6b.tar.gz kernel-8cbf5a1acdfc884d1556fb835398530d3a8c1d6b.tar.xz kernel-8cbf5a1acdfc884d1556fb835398530d3a8c1d6b.zip | |
CVE-2016-5400 Fix memory leak in airspy driver
| -rw-r--r-- | airspy-fix-error-logic-during-device-register.patch | 40 | ||||
| -rw-r--r-- | kernel.spec | 6 |
2 files changed, 46 insertions, 0 deletions
diff --git a/airspy-fix-error-logic-during-device-register.patch b/airspy-fix-error-logic-during-device-register.patch new file mode 100644 index 000000000..575090d9d --- /dev/null +++ b/airspy-fix-error-logic-during-device-register.patch @@ -0,0 +1,40 @@ +From 785ef73dba6e9fefd2e5dd24546e0efa8698e5cd Mon Sep 17 00:00:00 2001 +From: James Patrick-Evans <james@jmp-e.com> +Date: Fri, 15 Jul 2016 12:40:45 -0300 +Subject: [media] airspy: fix error logic during device register + +This patch addresses CVE-2016-5400, a local DOS vulnerability caused by +a memory leak in the airspy usb device driver. + +The vulnerability is triggered when more than 64 usb devices register +with v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.A badusb device can +emulate 64 of these devices then through continual emulated +connect/disconnect of the 65th device, cause the kernel to run out of +RAM and crash the kernel. + +The vulnerability exists in kernel versions from 3.17 to current 4.7. + +The memory leak is caused by the probe function of the airspy driver +mishandeling errors and not freeing the corresponding control structures +when an error occours registering the device to v4l2 core. + +Signed-off-by: James Patrick-Evans <james@jmp-e.com> +Cc: stable@vger.kernel.org # Up to Kernel 3.17 +Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> + +diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c +index d807d58..19cd64c 100644 +--- a/drivers/media/usb/airspy/airspy.c ++++ b/drivers/media/usb/airspy/airspy.c +@@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf, + if (ret) { + dev_err(s->dev, "Failed to register as video device (%d)\n", + ret); +- goto err_unregister_v4l2_dev; ++ goto err_free_controls; + } + dev_info(s->dev, "Registered as %s\n", + video_device_node_name(&s->vdev)); +-- +cgit v0.10.2 + diff --git a/kernel.spec b/kernel.spec index 805ad3fa2..51815c7c8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -676,6 +676,9 @@ Patch836: drm-amdgpu-Disable-RPM-helpers-while-reprobing.patch Patch837: drm-i915-skl-Add-support-for-the-SAGV-fix-underrun-hangs.patch Patch838: Revert-ALSA-hda-remove-controller-dependency-on-i915.patch +#CVE-2016-5400 rhbz 1358184 1358186 +Patch840: airspy-fix-error-logic-during-device-register.patch + # END OF PATCH DEFINITIONS %endif @@ -2196,6 +2199,9 @@ fi # # %changelog +* Mon Jul 25 2016 Justin Forbes <jforbes@fedoraproject.org> +- CVE-2016-5400 Fix memory leak in airspy driver (rhbz 1358184 1358186) + * Thu Jul 14 2016 Josh Boyer <jwboyer@fedoraproject.org> - Fix various i915 uncore oopses (rhbz 1340218 1325020 1342722 1347681) |