oss-sec mailing list archives
Re: kernel: v4l: videobuf: hotfix a bug on multiple calls to mmap() - Linux kernel
From: cve-assign () mitre org
Date: Sun, 8 Feb 2015 15:34:31 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://bugzilla.redhat.com/show_bug.cgi?id=620629 not sure if this ever got a cve (or needs one, depends on device perms)
http://linuxtv.org/irc/v4l/index.php?date=2010-07-29 [12:15] <posciak> I see there is no limit on count in v4l2_ext_ctrls structure... This has a direct influence on kernel memory allocation in do_ioctl2, i.e. userspace could pass big numbers and have kernel allocate huge amounts of memory... but since kmalloc won't allocate more than a couple of kilobytes, I guess there is not much of a problem problem here... just mentioning :) [12:24] <posciak> I guess introducing a VIDEO_MAX_EXT_CTRLS_SIZE or something like that would help, as you mentioned [12:53] <hverkuil> I thought that that patch was merged. I guess not, I'll see if I can make it part of my controller fw patch series. Some sort of sanity check there would be welcome.
Use CVE-2010-5321 for the https://bugzilla.redhat.com/show_bug.cgi?id=620629#c0 "calling mmap enough times for the same buffer (offset) resulted in a new memory allocation by videobuf on each such call and losing the old allocation, resulting in a leak each time and the system running out of memory" issue. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU18d3AAoJEKllVAevmvms9B4IAKSnHhGpXLNE4kiGhTqj0kdl n5w6ARNyZJxAEv2FAdtjY79F9E/HakvMNqfx2+VowUEPi1T5G+6xWGYjpe/i7L88 ItCgc/q0nzb1zpUz0jckyrKFmbgtG2I424lGbrIzC74Yx0eGgUtKfz8ERtb+A5wu wS6Fo+tlmdyK0QUn+h6lopisOY8SgaTbWwuAigUa7iOTSBn+8s/qyuBs47Um7FXy sV+LJ23fm7YKSQ+2zDDvpPP4rq9LOwXlTN7Ka+MBJ4RHR4fUjeRV+t08wRRbddh8 gYaEAh0RLaiuKMSSm0nV25ZZSWy+A6qY1mcMMmeNWB2NUoaAP9ryEOZkWJym/ZM= =Rvy1 -----END PGP SIGNATURE-----
Current thread:
- kernel: v4l: videobuf: hotfix a bug on multiple calls to mmap() Kurt Seifried (Feb 07)
- Re: kernel: v4l: videobuf: hotfix a bug on multiple calls to mmap() - Linux kernel cve-assign (Feb 08)