diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-30002/0001-media-v4l-ioctl-Fix-memory-leak-in-video_usercopy.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-30002/0001-media-v4l-ioctl-Fix-memory-leak-in-video_usercopy.patch | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-30002/0001-media-v4l-ioctl-Fix-memory-leak-in-video_usercopy.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-30002/0001-media-v4l-ioctl-Fix-memory-leak-in-video_usercopy.patch new file mode 100644 index 000000000..2b3916723 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-30002/0001-media-v4l-ioctl-Fix-memory-leak-in-video_usercopy.patch @@ -0,0 +1,78 @@ +From 12c97777a902f6a04f3c268038ed831d405ebf1a Mon Sep 17 00:00:00 2001 +From: Sakari Ailus <sakari.ailus@linux.intel.com> +Date: Sat, 19 Dec 2020 23:29:58 +0100 +Subject: [PATCH] media: v4l: ioctl: Fix memory leak in video_usercopy + +When an IOCTL with argument size larger than 128 that also used array +arguments were handled, two memory allocations were made but alas, only +the latter one of them was released. This happened because there was only +a single local variable to hold such a temporary allocation. + +Fix this by adding separate variables to hold the pointers to the +temporary allocations. + +Reported-by: Arnd Bergmann <arnd@kernel.org> +Reported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com +Fixes: d14e6d76ebf7 ("[media] v4l: Add multi-planar ioctl handling code") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> +Acked-by: Arnd Bergmann <arnd@arndb.de> +Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> +--- + drivers/media/v4l2-core/v4l2-ioctl.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c +index 58868d7129eb..d72a274ade8d 100644 +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -3016,7 +3016,7 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg, + v4l2_kioctl func) + { + char sbuf[128]; +- void *mbuf = NULL; ++ void *mbuf = NULL, *array_buf = NULL; + void *parg = (void *)arg; + long err = -EINVAL; + bool has_array_args; +@@ -3081,14 +3081,14 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg, + * array) fits into sbuf (so that mbuf will still remain + * unused up to here). + */ +- mbuf = kvmalloc(array_size, GFP_KERNEL); ++ array_buf = kvmalloc(array_size, GFP_KERNEL); + err = -ENOMEM; +- if (NULL == mbuf) ++ if (array_buf == NULL) + goto out_array_args; + err = -EFAULT; +- if (copy_from_user(mbuf, user_ptr, array_size)) ++ if (copy_from_user(array_buf, user_ptr, array_size)) + goto out_array_args; +- *kernel_ptr = mbuf; ++ *kernel_ptr = array_buf; + } + + /* Handles IOCTL */ +@@ -3107,7 +3107,7 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg, + + if (has_array_args) { + *kernel_ptr = (void __force *)user_ptr; +- if (copy_to_user(user_ptr, mbuf, array_size)) ++ if (copy_to_user(user_ptr, array_buf, array_size)) + err = -EFAULT; + goto out_array_args; + } +@@ -3129,6 +3129,7 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg, + } + + out: ++ kvfree(array_buf); + kvfree(mbuf); + return err; + } +-- +2.17.1 + |