[CVE-2016-5400,Vivid,Xenial] media: fix airspy usb probe error path

From: James Patrick-Evans <james@jmp-e.com>

Fix a memory leak on probe error of the airspy usb device driver.

The problem is triggered when more than 64 usb devices register with
v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.

The memory leak is caused by the probe function of the airspy driver
mishandeling errors and not freeing the corresponding control structures
when an error occours registering the device to v4l2 core.

A badusb device can emulate 64 of these devices, and then through
continual emulated connect/disconnect of the 65th device, cause the
kernel to run out of RAM and crash the kernel, thus causing a local DOS
vulnerability.

Fixes CVE-2016-5400

Signed-off-by: James Patrick-Evans <james@jmp-e.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org # 3.17+
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit aa93d1fee85c890a34f2510a310e55ee76a27848)
CVE-2016-5400
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 drivers/media/usb/airspy/airspy.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

On 28/07/16 14:06, Luis Henriques wrote:
> From: James Patrick-Evans <james@jmp-e.com>
> 
> Fix a memory leak on probe error of the airspy usb device driver.
> 
> The problem is triggered when more than 64 usb devices register with
> v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.
> 
> The memory leak is caused by the probe function of the airspy driver
> mishandeling errors and not freeing the corresponding control structures
> when an error occours registering the device to v4l2 core.
> 
> A badusb device can emulate 64 of these devices, and then through
> continual emulated connect/disconnect of the 65th device, cause the
> kernel to run out of RAM and crash the kernel, thus causing a local DOS
> vulnerability.
> 
> Fixes CVE-2016-5400
> 
> Signed-off-by: James Patrick-Evans <james@jmp-e.com>
> Reviewed-by: Kees Cook <keescook@chromium.org>
> Cc: stable@vger.kernel.org # 3.17+
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> (cherry picked from commit aa93d1fee85c890a34f2510a310e55ee76a27848)
> CVE-2016-5400
> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> ---
>  drivers/media/usb/airspy/airspy.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c
> index a50750ce511d..ce51bf19cef3 100644
> --- a/drivers/media/usb/airspy/airspy.c
> +++ b/drivers/media/usb/airspy/airspy.c
> @@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf,
>  	if (ret) {
>  		dev_err(s->dev, "Failed to register as video device (%d)\n",
>  				ret);
> -		goto err_unregister_v4l2_dev;
> +		goto err_free_controls;
>  	}
>  	dev_info(s->dev, "Registered as %s\n",
>  			video_device_node_name(&s->vdev));
> @@ -1081,7 +1081,6 @@ static int airspy_probe(struct usb_interface *intf,
>  
>  err_free_controls:
>  	v4l2_ctrl_handler_free(&s->hdl);
> -err_unregister_v4l2_dev:
>  	v4l2_device_unregister(&s->v4l2_dev);
>  err_free_mem:
>  	kfree(s);
> 
Looks good to me.

Acked-by: Colin Ian King <colin.king@canonical.com>