Commit d863bec6 authored by James Patrick-Evans's avatar James Patrick-Evans Committed by Greg Kroah-Hartman

media: fix airspy usb probe error path

commit aa93d1fe upstream.

Fix a memory leak on probe error of the airspy usb device driver.

The problem is triggered when more than 64 usb devices register with
v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.

The memory leak is caused by the probe function of the airspy driver
mishandeling errors and not freeing the corresponding control structures
when an error occours registering the device to v4l2 core.

A badusb device can emulate 64 of these devices, and then through
continual emulated connect/disconnect of the 65th device, cause the
kernel to run out of RAM and crash the kernel, thus causing a local DOS
vulnerability.

Fixes CVE-2016-5400
Signed-off-by: default avatarJames Patrick-Evans <james@jmp-e.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 87271783
...@@ -1073,7 +1073,7 @@ static int airspy_probe(struct usb_interface *intf, ...@@ -1073,7 +1073,7 @@ static int airspy_probe(struct usb_interface *intf,
if (ret) { if (ret) {
dev_err(s->dev, "Failed to register as video device (%d)\n", dev_err(s->dev, "Failed to register as video device (%d)\n",
ret); ret);
goto err_unregister_v4l2_dev; goto err_free_controls;
} }
dev_info(s->dev, "Registered as %s\n", dev_info(s->dev, "Registered as %s\n",
video_device_node_name(&s->vdev)); video_device_node_name(&s->vdev));
...@@ -1082,7 +1082,6 @@ static int airspy_probe(struct usb_interface *intf, ...@@ -1082,7 +1082,6 @@ static int airspy_probe(struct usb_interface *intf,
err_free_controls: err_free_controls:
v4l2_ctrl_handler_free(&s->hdl); v4l2_ctrl_handler_free(&s->hdl);
err_unregister_v4l2_dev:
v4l2_device_unregister(&s->v4l2_dev); v4l2_device_unregister(&s->v4l2_dev);
err_free_mem: err_free_mem:
kfree(s); kfree(s);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment