Re: kernel: v4l: videobuf: hotfix a bug on multiple calls to mmap() - Linux kernel

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugzilla.redhat.com/show_bug.cgi?id=620629
>
> not sure if this ever got a cve (or needs one, depends on device perms)

> http://linuxtv.org/irc/v4l/index.php?date=2010-07-29
>
> [12:15] <posciak> I see there is no limit on count in v4l2_ext_ctrls
> structure... This has a direct influence on kernel memory allocation
> in do_ioctl2, i.e. userspace could pass big numbers and have kernel
> allocate huge amounts of memory... but since kmalloc won't allocate
> more than a couple of kilobytes, I guess there is not much of a
> problem problem here... just mentioning :)
>
> [12:24] <posciak> I guess introducing a VIDEO_MAX_EXT_CTRLS_SIZE or
> something like that would help, as you mentioned
>
> [12:53] <hverkuil> I thought that that patch was merged. I guess not,
> I'll see if I can make it part of my controller fw patch series. Some
> sort of sanity check there would be welcome.

Use CVE-2010-5321 for the
https://bugzilla.redhat.com/show_bug.cgi?id=620629#c0 "calling mmap
enough times for the same buffer (offset) resulted in a new memory
allocation by videobuf on each such call and losing the old
allocation, resulting in a leak each time and the system running out
of memory" issue.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU18d3AAoJEKllVAevmvms9B4IAKSnHhGpXLNE4kiGhTqj0kdl
n5w6ARNyZJxAEv2FAdtjY79F9E/HakvMNqfx2+VowUEPi1T5G+6xWGYjpe/i7L88
ItCgc/q0nzb1zpUz0jckyrKFmbgtG2I424lGbrIzC74Yx0eGgUtKfz8ERtb+A5wu
wS6Fo+tlmdyK0QUn+h6lopisOY8SgaTbWwuAigUa7iOTSBn+8s/qyuBs47Um7FXy
sV+LJ23fm7YKSQ+2zDDvpPP4rq9LOwXlTN7Ka+MBJ4RHR4fUjeRV+t08wRRbddh8
gYaEAh0RLaiuKMSSm0nV25ZZSWy+A6qY1mcMMmeNWB2NUoaAP9ryEOZkWJym/ZM=
=Rvy1
-----END PGP SIGNATURE-----