[media] airspy: fix error logic during device register
authorJames Patrick-Evans <james@jmp-e.com>
Fri, 15 Jul 2016 15:40:45 +0000 (12:40 -0300)
committerMauro Carvalho Chehab <mchehab@s-opensource.com>
Fri, 15 Jul 2016 16:32:21 +0000 (13:32 -0300)
commit785ef73dba6e9fefd2e5dd24546e0efa8698e5cd
tree0f0437c75d0da48da3d8193dd8c032eb204024b2
parent70ad89a2508936c553d0222cc0b7c95648ee3580
[media] airspy: fix error logic during device register

This patch addresses CVE-2016-5400, a local DOS vulnerability caused by
a memory leak in the airspy usb device driver.

The vulnerability is triggered when more than 64 usb devices register
with v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.A badusb device can
emulate 64 of these devices then through continual emulated
connect/disconnect of the 65th device, cause the kernel to run out of
RAM and crash the kernel.

The vulnerability exists in kernel versions from 3.17 to current 4.7.

The memory leak is caused by the probe function of the airspy driver
mishandeling errors and not freeing the corresponding control structures
when an error occours registering the device to v4l2 core.

Signed-off-by: James Patrick-Evans <james@jmp-e.com>
Cc: stable@vger.kernel.org # Up to Kernel 3.17
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
drivers/media/usb/airspy/airspy.c