OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/drivers/media/usb
History
James Patrick-Evans aa93d1fee8 media: fix airspy usb probe error path 
Fix a memory leak on probe error of the airspy usb device driver.

The problem is triggered when more than 64 usb devices register with
v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.

The memory leak is caused by the probe function of the airspy driver
mishandeling errors and not freeing the corresponding control structures
when an error occours registering the device to v4l2 core.

A badusb device can emulate 64 of these devices, and then through
continual emulated connect/disconnect of the 65th device, cause the
kernel to run out of RAM and crash the kernel, thus causing a local DOS
vulnerability.

Fixes CVE-2016-5400

Signed-off-by: James Patrick-Evans <james@jmp-e.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org # 3.17+
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 		2016-07-16 06:15:40 +09:00
..
airspy media: fix airspy usb probe error path 2016-07-16 06:15:40 +09:00
as102 [media] drivers/media/usb/as102: constify as102_priv_ops_t structure 2016-02-01 07:31:48 -02:00
au0828 [media] media: au0828 fix au0828_v4l2_device_register() to not unlock and free 2016-05-09 13:20:42 -03:00
b2c2 [media] media: change email address 2016-01-25 12:01:08 -02:00
cpia2 [media] usb/cpia2_core: clean up a min_t() cast 2016-02-19 08:10:32 -02:00
cx231xx Merge branch 'i2c/for-4.7' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2016-05-19 17:48:12 -07:00
dvb-usb scripts/spelling.txt: add "fimware" misspelling 2016-05-19 19:12:14 -07:00
dvb-usb-v2 Merge branch 'hash' of git://ftp.sciencehorizons.net/linux 2016-05-28 16:15:25 -07:00
em28xx [media] em28xx: add support for Hauppauge WinTV-dualHD DVB tuner 2016-05-09 14:25:39 -03:00
go7007 [media] v4l2-device.h: add v4l2_device_mask_ variants 2016-04-20 16:08:42 -03:00
gspca [media] touptek: cast char types on %x printk 2016-03-10 13:37:45 -03:00
hackrf Merge branch 'patchwork' into v4l_for_linus 2016-01-11 11:13:27 -02:00
hdpvr [media] hdpvr: hide unused variable 2016-02-01 13:14:27 -02:00
msi2500 [media] msi2500: Delete an unnecessary check in msi2500_set_usb_adc() 2016-01-25 15:15:39 -02:00
pvrusb2 [media] pvrusb2: fix smatch errors 2016-04-20 15:48:29 -03:00
pwc [media] pwc: Add USB id for Philips Spc880nc webcam 2016-02-01 10:21:10 -02:00
s2255 [media] media: videobuf2: Move timestamp to vb2_buffer 2015-12-18 13:53:31 -02:00
siano [media] media_device: move allocation out of media_device_*_init 2016-02-23 07:19:39 -03:00
stk1160 [media] stk1160: Remove redundant vb2_buf payload set 2016-02-01 07:37:20 -02:00
stkwebcam [media] stk-webcam: Delete an unnecessary check before the function call "vfree" 2015-03-02 14:53:27 -03:00
tm6000 [media] include/media: split I2C headers from V4L2 core 2015-11-17 06:57:11 -02:00
ttusb-budget [media] dvb: Get rid of typedev usage for enums 2015-06-09 17:47:35 -03:00
ttusb-dec [media] ttusb-dec: constify ttusbdecfe_config structure 2015-11-19 11:22:15 -02:00
usbtv [media] usbtv: correctly handling failed allocation 2016-02-01 07:42:00 -02:00
usbvision [media] usbvision: revert commit 588afcc1 2016-04-20 15:58:54 -03:00
uvc uvc_v4l2: Simplify compat ioctl implementation 2016-06-10 15:11:15 -07:00
zr364xx [media] usb drivers: use BUG_ON() instead of if () BUG 2015-06-09 18:30:09 -03:00
Kconfig [media] tlg2300: move to staging in preparation for removal 2014-12-16 23:21:43 -02:00
Makefile [media] tlg2300: move to staging in preparation for removal 2014-12-16 23:21:43 -02:00