Date: Sat, 7 May 2016 16:14:09 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Cc: Ben Hutchings <benh@...ian.org> Subject: CVE Request: Linux: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing Hi Please assign a CVE for the following issue, which could lead to overwriting of kernel memory: > [media] videobuf2-v4l2: Verify planes array in buffer dequeueing > > When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer > which will be dequeued is not known until the buffer has been removed from > the queue. The number of planes is specific to a buffer, not to the queue. > > This does lead to the situation where multi-plane buffers may be requested > and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument > struct with fewer planes. > > __fill_v4l2_buffer() however uses the number of planes from the dequeued > videobuf2 buffer, overwriting kernel memory (the m.planes array allocated > in video_usercopy() in v4l2-ioctl.c) if the user provided fewer > planes than the dequeued buffer had. Oops! > > Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2") Fixed in https://git.kernel.org/linus/2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab (v4.6-rc6) (Cc'ed to stable@...r.kernel.org for v4.4+, fixed in v4.5.3 and v4.4.9) Introduced by https://git.kernel.org/linus/b0e0e1f83de31aa0428c38b692c590cc0ecd3f03 (v4.4-rc1) Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.