CVE Request: Linux: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing

[Salvatore Bonaccorso <carnil () debian org>]

Hi

Please assign a CVE for the following issue, which could lead to
overwriting of kernel memory:

>     [media] videobuf2-v4l2: Verify planes array in buffer dequeueing
>     
>     When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer
>     which will be dequeued is not known until the buffer has been removed from
>     the queue. The number of planes is specific to a buffer, not to the queue.
>     
>     This does lead to the situation where multi-plane buffers may be requested
>     and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument
>     struct with fewer planes.
>     
>     __fill_v4l2_buffer() however uses the number of planes from the dequeued
>     videobuf2 buffer, overwriting kernel memory (the m.planes array allocated
>     in video_usercopy() in v4l2-ioctl.c)  if the user provided fewer
>     planes than the dequeued buffer had. Oops!
>     
>     Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2")

Fixed in
https://git.kernel.org/linus/2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab (v4.6-rc6)
(Cc'ed to stable () vger kernel org for v4.4+, fixed in v4.5.3 and
v4.4.9)

Introduced by
https://git.kernel.org/linus/b0e0e1f83de31aa0428c38b692c590cc0ecd3f03 (v4.4-rc1)

Regards,
Salvatore