Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 7 May 2016 16:14:09 +0200
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Cc: Ben Hutchings <>
Subject: CVE Request: Linux: [media] videobuf2-v4l2: Verify planes array in
 buffer dequeueing


Please assign a CVE for the following issue, which could lead to
overwriting of kernel memory:

>     [media] videobuf2-v4l2: Verify planes array in buffer dequeueing
>     When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer
>     which will be dequeued is not known until the buffer has been removed from
>     the queue. The number of planes is specific to a buffer, not to the queue.
>     This does lead to the situation where multi-plane buffers may be requested
>     and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument
>     struct with fewer planes.
>     __fill_v4l2_buffer() however uses the number of planes from the dequeued
>     videobuf2 buffer, overwriting kernel memory (the m.planes array allocated
>     in video_usercopy() in v4l2-ioctl.c)  if the user provided fewer
>     planes than the dequeued buffer had. Oops!
>     Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2")

Fixed in (v4.6-rc6)
(Cc'ed to for v4.4+, fixed in v4.5.3 and

Introduced by (v4.4-rc1)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.