[fixing Mauro's email...]
On Fri, Jul 15, 2016 at 11:52 AM, Kees Cook <keesc...@google.com> wrote:
> On Fri, Jul 15, 2016 at 8:40 AM, James Patrick-Evans <ja...@jmp-e.com> wrote:
>> This patch addresses CVE-2016-5400, a local DOS vulnerability caused by a
>> memory leak in the airspy usb device driver. The vulnerability is triggered
>> when more than 64 usb devices register with v4l2 of type VFL_TYPE_SDR or
>> VFL_TYPE_SUBDEV.A badusb device can emulate 64 of these devices then through
>> continual emulated connect/disconnect of the 65th device, cause the kernel
>> to run out of RAM and crash the kernel. The vulnerability exists in kernel
>> versions from 3.17 to current 4.7.
>> The memory leak is caused by the probe function of the airspy driver
>> mishandeling errors and not freeing the corresponding control structures
>> when an error occours registering the device to v4l2 core.
>
> Thanks for getting this fixed!
>
>> Signed-off-by: James Patrick-Evans <ja...@jmp-e.com>
>
> Reviewed-by: Kees Cook <keesc...@chromium.org>
>
>> ---
>> drivers/media/usb/airspy/airspy.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/media/usb/airspy/airspy.c
>> b/drivers/media/usb/airspy/airspy.c
>> index 87c1293..6c3ac8b 100644
>> --- a/drivers/media/usb/airspy/airspy.c
>> +++ b/drivers/media/usb/airspy/airspy.c
>> @@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf,
>> if (ret) {
>> dev_err(s->dev, "Failed to register as video device (%d)\n",
>> ret);
>> - goto err_unregister_v4l2_dev;
>> + goto err_free_controls;
>> }
>> dev_info(s->dev, "Registered as %s\n",
>> video_device_node_name(&s->vdev));
>> --
>> 1.9.1
>>
>
> -Kees
>
> --
> Kees Cook
> Brillo & Chrome OS Security
--
Kees Cook
Brillo & Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
