Message ID | 1469711197-14229-1-git-send-email-luis.henriques@canonical.com |
---|---|
State | New |
Headers | show |
On 28/07/16 14:06, Luis Henriques wrote: > From: James Patrick-Evans <james@jmp-e.com> > > Fix a memory leak on probe error of the airspy usb device driver. > > The problem is triggered when more than 64 usb devices register with > v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV. > > The memory leak is caused by the probe function of the airspy driver > mishandeling errors and not freeing the corresponding control structures > when an error occours registering the device to v4l2 core. > > A badusb device can emulate 64 of these devices, and then through > continual emulated connect/disconnect of the 65th device, cause the > kernel to run out of RAM and crash the kernel, thus causing a local DOS > vulnerability. > > Fixes CVE-2016-5400 > > Signed-off-by: James Patrick-Evans <james@jmp-e.com> > Reviewed-by: Kees Cook <keescook@chromium.org> > Cc: stable@vger.kernel.org # 3.17+ > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > (cherry picked from commit aa93d1fee85c890a34f2510a310e55ee76a27848) > CVE-2016-5400 > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > drivers/media/usb/airspy/airspy.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c > index a50750ce511d..ce51bf19cef3 100644 > --- a/drivers/media/usb/airspy/airspy.c > +++ b/drivers/media/usb/airspy/airspy.c > @@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf, > if (ret) { > dev_err(s->dev, "Failed to register as video device (%d)\n", > ret); > - goto err_unregister_v4l2_dev; > + goto err_free_controls; > } > dev_info(s->dev, "Registered as %s\n", > video_device_node_name(&s->vdev)); > @@ -1081,7 +1081,6 @@ static int airspy_probe(struct usb_interface *intf, > > err_free_controls: > v4l2_ctrl_handler_free(&s->hdl); > -err_unregister_v4l2_dev: > v4l2_device_unregister(&s->v4l2_dev); > err_free_mem: > kfree(s); > Looks good to me. Acked-by: Colin Ian King <colin.king@canonical.com>
diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c index a50750ce511d..ce51bf19cef3 100644 --- a/drivers/media/usb/airspy/airspy.c +++ b/drivers/media/usb/airspy/airspy.c @@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf, if (ret) { dev_err(s->dev, "Failed to register as video device (%d)\n", ret); - goto err_unregister_v4l2_dev; + goto err_free_controls; } dev_info(s->dev, "Registered as %s\n", video_device_node_name(&s->vdev)); @@ -1081,7 +1081,6 @@ static int airspy_probe(struct usb_interface *intf, err_free_controls: v4l2_ctrl_handler_free(&s->hdl); -err_unregister_v4l2_dev: v4l2_device_unregister(&s->v4l2_dev); err_free_mem: kfree(s);