• James Patrick-Evans's avatar
    [media] airspy: fix error logic during device register · 785ef73d
    James Patrick-Evans authored
    This patch addresses CVE-2016-5400, a local DOS vulnerability caused by
    a memory leak in the airspy usb device driver.
    
    The vulnerability is triggered when more than 64 usb devices register
    with v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.A badusb device can
    emulate 64 of these devices then through continual emulated
    connect/disconnect of the 65th device, cause the kernel to run out of
    RAM and crash the kernel.
    
    The vulnerability exists in kernel versions from 3.17 to current 4.7.
    
    The memory leak is caused by the probe function of the airspy driver
    mishandeling errors and not freeing the corresponding control structures
    when an error occours registering the device to v4l2 core.
    Signed-off-by: default avatarJames Patrick-Evans <james@jmp-e.com>
    Cc: stable@vger.kernel.org # Up to Kernel 3.17
    Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
    785ef73d
airspy.c 27.6 KB