Date: Sat, 7 May 2016 16:14:09 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Cc: Ben Hutchings <benh@...ian.org> Subject: CVE Request: Linux: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing Hi Please assign a CVE for the following issue, which could lead to overwriting of kernel memory: > [media] videobuf2-v4l2: Verify planes array in buffer dequeueing > > When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer > which will be dequeued is not known until the buffer has been removed from > the queue. The number of planes is specific to a buffer, not to the queue. > > This does lead to the situation where multi-plane buffers may be requested > and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument > struct with fewer planes. > > __fill_v4l2_buffer() however uses the number of planes from the dequeued > videobuf2 buffer, overwriting kernel memory (the m.planes array allocated > in video_usercopy() in v4l2-ioctl.c) if the user provided fewer > planes than the dequeued buffer had. Oops! > > Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2") Fixed in https://git.kernel.org/linus/2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab (v4.6-rc6) (Cc'ed to stable@...r.kernel.org for v4.4+, fixed in v4.5.3 and v4.4.9) Introduced by https://git.kernel.org/linus/b0e0e1f83de31aa0428c38b692c590cc0ecd3f03 (v4.4-rc1) Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ