linux/drivers
James Patrick-Evans 785ef73dba [media] airspy: fix error logic during device register
This patch addresses CVE-2016-5400, a local DOS vulnerability caused by
a memory leak in the airspy usb device driver.

The vulnerability is triggered when more than 64 usb devices register
with v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.A badusb device can
emulate 64 of these devices then through continual emulated
connect/disconnect of the 65th device, cause the kernel to run out of
RAM and crash the kernel.

The vulnerability exists in kernel versions from 3.17 to current 4.7.

The memory leak is caused by the probe function of the airspy driver
mishandeling errors and not freeing the corresponding control structures
when an error occours registering the device to v4l2 core.

Signed-off-by: James Patrick-Evans <james@jmp-e.com>
Cc: stable@vger.kernel.org # Up to Kernel 3.17
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-07-15 13:32:21 -03:00
..
accessibility
acpi ACPI fix for v4.7-rc6 2016-07-01 15:31:48 -07:00
amba ARM: 8566/1: drivers: amba: properly handle devices with power domains 2016-05-05 19:00:40 +01:00
android
ata Merge branch 'for-4.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata 2016-06-28 12:11:31 -07:00
atm atm: iphase: off by one in rx_pkt() 2016-05-31 11:52:59 -07:00
auxdisplay
base Driver core fixes for 4.7-rc4 2016-06-18 06:04:01 -10:00
bcma MTD updates for v4.7: 2016-05-24 11:00:20 -07:00
block tree wide: get rid of __GFP_REPEAT for order-0 allocations part I 2016-06-24 17:23:52 -07:00
bluetooth Bluetooth: Add USB ID 13D3:3487 to ath3k 2016-05-13 16:54:59 +02:00
bus Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2016-05-19 10:02:26 -07:00
cdrom
char ipmi: Remove smi_msg from waiting_rcv_msgs list before handle_one_recv_msg() 2016-06-13 08:56:28 -05:00
clk A bunch of fixes. Some for the newly added rk3399 clock tree, some 2016-06-20 17:01:45 -07:00
clocksource Small release overall. 2016-05-19 11:27:09 -07:00
connector connector: fix out-of-order cn_proc netlink message delivery 2016-06-28 08:48:33 -04:00
cpufreq cpufreq: Avoid false-positive WARN_ON()s in cpufreq_update_policy() 2016-06-28 03:29:29 +02:00
cpuidle cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter() 2016-05-18 02:48:37 +02:00
crypto crypto: ux500 - memmove the right size 2016-06-13 17:43:05 +08:00
dax /dev/dax, core: file operations and dax-mmap 2016-05-20 22:02:55 -07:00
dca
devfreq PM / devfreq: Send the DEVFREQ_POSTCHANGE notification when target() is failed 2016-06-23 23:15:12 +02:00
dio
dma dmaengine: mv_xor: Fix incorrect offset in dma_map_page() 2016-06-07 12:44:23 +05:30
dma-buf dma-buf: use vma_pages() 2016-05-31 22:17:05 +05:30
edac EDAC, sb_edac: Readd accidentally dropped Broadwell-D support 2016-06-03 17:28:21 +02:00
eisa
extcon extcon: palmas: Fix boot up state of VBUS when using GPIO detection 2016-06-15 17:17:22 +09:00
firewire treewide: replace dev->trans_start update with helper 2016-05-04 14:16:49 -04:00
firmware efi/arm: Fix the format of EFI debug messages 2016-06-03 09:57:36 +02:00
fmc
fpga
gpio Pin control fixes for the v4.7 cycle: 2016-06-29 10:05:44 -07:00
gpu Merge branch 'topic/vsp1' into patchwork 2016-07-13 13:43:48 -03:00
hid HID: multitouch: enable palm rejection for Windows Precision Touchpad 2016-06-28 13:24:14 +02:00
hsi HSI: omap-ssi: move omap_ssi_port_update_fclk 2016-05-09 22:45:18 +02:00
hv
hwmon hwmon: (dell-smm) Cache fan_type() calls and change fan detection 2016-06-23 06:24:23 -07:00
hwspinlock drivers/hwspinlock: use correct radix tree API 2016-05-20 17:58:30 -07:00
hwtracing coresight: Handle build path error 2016-06-16 00:13:06 -07:00
i2c i2c: mux: reg: Provide of_match_table 2016-06-09 22:38:16 +02:00
ide
idle
iio iio:ad7266: Fix probe deferral for vref 2016-06-26 17:39:26 +01:00
infiniband Merge branches '4.7-rc-misc', 'hfi1-fixes', 'i40iw-rc-fixes' and 'mellanox-rc-fixes' into k.o/for-4.7-rc 2016-06-23 12:22:33 -04:00
input Linux 4.7-rc6 2016-07-08 18:14:03 -03:00
iommu iommu/amd: Initialize devid variable before using it 2016-06-27 13:24:46 +02:00
ipack
irqchip irqchip/mips-gic: Fix IRQs in gic_dev_domain 2016-06-14 11:41:57 +02:00
isdn TTY and Serial driver update for 4.7-rc1 2016-05-20 20:57:27 -07:00
leds leds: handle suspend/resume in heartbeat trigger 2016-06-08 11:47:06 +02:00
lguest
lightnvm lightnvm: reserved space calculation incorrect 2016-05-06 12:51:10 -06:00
macintosh
mailbox mailbox: Fix devm_ioremap_resource error detection code 2016-05-08 22:44:46 +05:30
mcb mcb: Acquire reference to carrier module in core 2016-06-13 18:49:30 -07:00
md Merge branch 'for-linus' of git://git.kernel.dk/linux-block 2016-05-27 14:28:09 -07:00
media [media] airspy: fix error logic during device register 2016-07-15 13:32:21 -03:00
memory memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing 2016-06-16 11:43:48 +03:00
memstick drivers/memstick/core/mspro_block: use kmemdup 2016-05-23 17:04:14 -07:00
message SCSI misc on 20160517 2016-05-18 16:38:59 -07:00
mfd mfd: max77620: Fix FPS switch statements 2016-06-30 07:44:23 +01:00
misc mei: don't use wake_up_interruptible for wr_ctrl 2016-06-10 22:14:24 -07:00
mmc mmc: sunxi: Re-enable eMMC HS-DDR modes on Allwinner A80 2016-06-02 10:40:20 +02:00
mtd ubi: Make recover_peb power cut aware 2016-06-23 00:29:32 +02:00
net qed: Protect the doorbell BAR with the write barriers. 2016-06-29 08:12:45 -04:00
nfc NFC: pn533: handle interrupted commands in pn533_recv_frame 2016-05-10 00:01:47 +02:00
ntb
nubus
nvdimm libnvdimm, pfn, dax: fix initialization vs autodetect for mode + alignment 2016-06-23 17:50:39 -07:00
nvme NVMe: Only release requested regions 2016-06-09 14:28:28 -06:00
nvmem remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
of Linux 4.7-rc6 2016-07-08 18:14:03 -03:00
oprofile
parisc
parport
pci PCI: Fix unaligned accesses in VC code 2016-06-20 13:24:20 -05:00
pcmcia
perf arm: pmu: Fix non-devicetree probing 2016-06-15 09:51:35 +01:00
phy - Final patches fixing Reset API change 2016-07-01 15:17:16 -07:00
pinctrl pinctrl: baytrail: Fix mingled clock pins 2016-06-23 11:05:04 +02:00
platform platform/x86: Drop duplicate dependencies on X86 2016-06-08 13:21:37 -07:00
pnp driver core update for 4.7-rc1 2016-05-20 21:26:15 -07:00
power power_supply: tps65217-charger: Fix NULL deref during property export 2016-06-16 15:54:11 +02:00
powercap Power management material for v4.7-rc1 2016-05-16 19:17:22 -07:00
pps
ps3
ptp ptp: oops in ptp_ioctl() 2016-05-29 22:32:27 -07:00
pwm pwm: atmel-hlcdc: Fix default PWM polarity 2016-06-14 10:51:45 +02:00
rapidio rapidio/mport_cdev: fix uapi type definitions 2016-05-05 17:38:53 -07:00
ras
regulator Merge remote-tracking branches 'regulator/fix/anatop' and 'regulator/fix/max77620' into regulator-linus 2016-07-01 18:06:48 +02:00
remoteproc remoteproc: Add additional crash reasons 2016-05-12 15:50:19 -07:00
reset
rpmsg rpmsg: add THIS_MODULE to rpmsg_driver in rpmsg core 2016-05-06 11:08:58 -07:00
rtc rtc: tps6586x: rename so module can be autoloaded 2016-05-21 17:07:17 +02:00
s390 DAX error handling for 4.7 2016-05-26 19:34:26 -07:00
sbus openprom: fix warning 2016-05-20 18:33:37 -07:00
scsi Merge remote-tracking branch 'mkp-scsi/4.7/scsi-fixes' into fixes 2016-06-18 11:59:01 -07:00
sfi
sh
sn
soc soc: mtk-pmic-wrap: avoid integer overflow warning 2016-05-19 15:20:24 +02:00
spi Merge remote-tracking branches 'spi/fix/ep93xx', 'spi/fix/rockchip', 'spi/fix/sunxi' and 'spi/fix/ti-qspi' into spi-linus 2016-06-30 13:17:29 +01:00
spmi
ssb
staging [media] s5p-cec/TODO: add TODO item 2016-07-15 13:21:45 -03:00
target Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2016-05-28 12:04:17 -07:00
tc
thermal Merge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2016-06-12 06:30:39 -07:00
thunderbolt thunderbolt: Fix double free of drom buffer 2016-05-02 12:09:22 -05:00
tty devpts: fix null pointer dereference on failed memory allocation 2016-06-26 11:39:00 -07:00
uio
usb Linux 4.7-rc6 2016-07-08 18:14:03 -03:00
uwb
vfio vfio/pci: Allow VPD short read 2016-05-31 21:25:52 -06:00
vhost target: make close_session optional 2016-05-10 01:19:26 -07:00
video OMAPDSS: HDMI5: Change DDC timings 2016-05-31 08:20:43 +03:00
virt
virtio virtio_balloon: fix PFN format for virtio-1 2016-05-22 19:44:13 +03:00
vlynq
vme
w1
watchdog watchdog: ebc-c384_wdt: Allow build for X86_64 2016-06-17 20:21:12 -07:00
xen xen-pciback: return proper values during BAR sizing 2016-06-24 10:53:03 +01:00
zorro
Kconfig libnvdimm for 4.7 2016-05-23 11:18:01 -07:00
Makefile /dev/dax, pmem: direct access to persistent memory 2016-05-20 22:02:53 -07:00