Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 7 May 2016 16:14:09 +0200
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Cc: Ben Hutchings <>
Subject: CVE Request: Linux: [media] videobuf2-v4l2: Verify planes array in
 buffer dequeueing


Please assign a CVE for the following issue, which could lead to
overwriting of kernel memory:

>     [media] videobuf2-v4l2: Verify planes array in buffer dequeueing
>     When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer
>     which will be dequeued is not known until the buffer has been removed from
>     the queue. The number of planes is specific to a buffer, not to the queue.
>     This does lead to the situation where multi-plane buffers may be requested
>     and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument
>     struct with fewer planes.
>     __fill_v4l2_buffer() however uses the number of planes from the dequeued
>     videobuf2 buffer, overwriting kernel memory (the m.planes array allocated
>     in video_usercopy() in v4l2-ioctl.c)  if the user provided fewer
>     planes than the dequeued buffer had. Oops!
>     Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2")

Fixed in (v4.6-rc6)
(Cc'ed to for v4.4+, fixed in v4.5.3 and

Introduced by (v4.4-rc1)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ