Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 7 May 2016 16:14:09 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: Ben Hutchings <benh@...ian.org>
Subject: CVE Request: Linux: [media] videobuf2-v4l2: Verify planes array in
 buffer dequeueing

Hi

Please assign a CVE for the following issue, which could lead to
overwriting of kernel memory:

>     [media] videobuf2-v4l2: Verify planes array in buffer dequeueing
>     
>     When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer
>     which will be dequeued is not known until the buffer has been removed from
>     the queue. The number of planes is specific to a buffer, not to the queue.
>     
>     This does lead to the situation where multi-plane buffers may be requested
>     and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument
>     struct with fewer planes.
>     
>     __fill_v4l2_buffer() however uses the number of planes from the dequeued
>     videobuf2 buffer, overwriting kernel memory (the m.planes array allocated
>     in video_usercopy() in v4l2-ioctl.c)  if the user provided fewer
>     planes than the dequeued buffer had. Oops!
>     
>     Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2")

Fixed in
https://git.kernel.org/linus/2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab (v4.6-rc6)
(Cc'ed to stable@...r.kernel.org for v4.4+, fixed in v4.5.3 and
v4.4.9)

Introduced by
https://git.kernel.org/linus/b0e0e1f83de31aa0428c38b692c590cc0ecd3f03 (v4.4-rc1)

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ