ACK: [CVE-2016-5400][Vivid, Xenial] media: fix airspy usb probe error path

Colin Ian King colin.king at canonical.com
Thu Jul 28 13:08:32 UTC 2016 

On 28/07/16 14:06, Luis Henriques wrote:
> From: James Patrick-Evans <james at jmp-e.com>
> 
> Fix a memory leak on probe error of the airspy usb device driver.
> 
> The problem is triggered when more than 64 usb devices register with
> v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.
> 
> The memory leak is caused by the probe function of the airspy driver
> mishandeling errors and not freeing the corresponding control structures
> when an error occours registering the device to v4l2 core.
> 
> A badusb device can emulate 64 of these devices, and then through
> continual emulated connect/disconnect of the 65th device, cause the
> kernel to run out of RAM and crash the kernel, thus causing a local DOS
> vulnerability.
> 
> Fixes CVE-2016-5400
> 
> Signed-off-by: James Patrick-Evans <james at jmp-e.com>
> Reviewed-by: Kees Cook <keescook at chromium.org>
> Cc: stable at vger.kernel.org # 3.17+
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (cherry picked from commit aa93d1fee85c890a34f2510a310e55ee76a27848)
> CVE-2016-5400
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  drivers/media/usb/airspy/airspy.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c
> index a50750ce511d..ce51bf19cef3 100644
> --- a/drivers/media/usb/airspy/airspy.c
> +++ b/drivers/media/usb/airspy/airspy.c
> @@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf,
>  	if (ret) {
>  		dev_err(s->dev, "Failed to register as video device (%d)\n",
>  				ret);
> -		goto err_unregister_v4l2_dev;
> +		goto err_free_controls;
>  	}
>  	dev_info(s->dev, "Registered as %s\n",
>  			video_device_node_name(&s->vdev));
> @@ -1081,7 +1081,6 @@ static int airspy_probe(struct usb_interface *intf,
>  
>  err_free_controls:
>  	v4l2_ctrl_handler_free(&s->hdl);
> -err_unregister_v4l2_dev:
>  	v4l2_device_unregister(&s->v4l2_dev);
>  err_free_mem:
>  	kfree(s);
> 
Looks good to me.

Acked-by: Colin Ian King <colin.king at canonical.com>

More information about the kernel-team mailing list