media: CVE-2017-16644

media: hdpvr: Fix an error handling path in hdpvr_probe() Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-16644 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=dd24d173b50af3aadb1ea2e04edaa8d68ca59b23 Change-Id: I621c6fe518e5e41618c235cdacf8d9bceb3e3947 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-05-21 16:13:15 +0200
committer: Adrian Mangeac <Adrian.Mangeac@enea.com> 2019-05-21 17:34:45 +0200
commit: da9582884e55558308fd67ade22a4f9eac1750a9 (patch)
tree: c43c3fdeffe75ca02d47d782074a6d8abcdd621d
parent: 197bf9e8fc6b61145890c70edc0769ef38992b44 (diff)
download: enea-kernel-cache-da9582884e55558308fd67ade22a4f9eac1750a9.tar.gz
1 files changed, 110 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-16644-media-hdpvr-Fix-an-error-handling-path-in-hdpvr_prob.patch b/patches/cve/CVE-2017-16644-media-hdpvr-Fix-an-error-handling-path-in-hdpvr_prob.patch
new file mode 100644
index 0000000..ee7e02a
--- /dev/null
+++ b/patches/cve/CVE-2017-16644-media-hdpvr-Fix-an-error-handling-path-in-hdpvr_prob.patch
@@ -0,0 +1,110 @@
+From dd24d173b50af3aadb1ea2e04edaa8d68ca59b23 Mon Sep 17 00:00:00 2001
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Fri, 22 Sep 2017 09:07:06 -0400
+Subject: [PATCH] media: hdpvr: Fix an error handling path in hdpvr_probe()
+commit c0f71bbb810237a38734607ca4599632f7f5d47f upstream.
+Here, hdpvr_register_videodev() is responsible for setup and
+register a video device. Also defining and initializing a worker.
+hdpvr_register_videodev() is calling by hdpvr_probe at last.
+So no need to flush any work here.
+Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail.
+CVE: CVE-2017-16644
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=dd24d173b50af3aadb1ea2e04edaa8d68ca59b23]
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ drivers/media/usb/hdpvr/hdpvr-core.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c b/drivers/media/usb/hdpvr/hdpvr-core.c
+index dbe29c6c4d8b..1e8cbaf36896 100644
+--- a/drivers/media/usb/hdpvr/hdpvr-core.c
+++ b/drivers/media/usb/hdpvr/hdpvr-core.c
+@@ -292,7 +292,7 @@ static int hdpvr_probe(struct usb_interface *interface,
+        /* register v4l2_device early so it can be used for printks */
+        if (v4l2_device_register(&interface->dev, &dev->v4l2_dev)) {
+                dev_err(&interface->dev, "v4l2_device_register failed\n");
+-               goto error;
+               goto error_free_dev;
+        }
+ 
+        mutex_init(&dev->io_mutex);
+@@ -301,7 +301,7 @@ static int hdpvr_probe(struct usb_interface *interface,
+        dev->usbc_buf = kmalloc(64, GFP_KERNEL);
+        if (!dev->usbc_buf) {
+                v4l2_err(&dev->v4l2_dev, "Out of memory\n");
+-               goto error;
+               goto error_v4l2_unregister;
+        }
+ 
+        init_waitqueue_head(&dev->wait_buffer);
+@@ -339,13 +339,13 @@ static int hdpvr_probe(struct usb_interface *interface,
+        }
+        if (!dev->bulk_in_endpointAddr) {
+                v4l2_err(&dev->v4l2_dev, "Could not find bulk-in endpoint\n");
+-               goto error;
+               goto error_put_usb;
+        }
+ 
+        /* init the device */
+        if (hdpvr_device_init(dev)) {
+                v4l2_err(&dev->v4l2_dev, "device init failed\n");
+-               goto error;
+               goto error_put_usb;
+        }
+ 
+        mutex_lock(&dev->io_mutex);
+@@ -353,7 +353,7 @@ static int hdpvr_probe(struct usb_interface *interface,
+                mutex_unlock(&dev->io_mutex);
+                v4l2_err(&dev->v4l2_dev,
+                         "allocating transfer buffers failed\n");
+-               goto error;
+               goto error_put_usb;
+        }
+        mutex_unlock(&dev->io_mutex);
+ 
+@@ -361,7 +361,7 @@ static int hdpvr_probe(struct usb_interface *interface,
+        retval = hdpvr_register_i2c_adapter(dev);
+        if (retval < 0) {
+                v4l2_err(&dev->v4l2_dev, "i2c adapter register failed\n");
+-               goto error;
+               goto error_free_buffers;
+        }
+ 
+        client = hdpvr_register_ir_rx_i2c(dev);
+@@ -394,13 +394,17 @@ static int hdpvr_probe(struct usb_interface *interface,
+ reg_fail:
+ #if IS_ENABLED(CONFIG_I2C)
+        i2c_del_adapter(&dev->i2c_adapter);
+error_free_buffers:
+ #endif
+       hdpvr_free_buffers(dev);
+error_put_usb:
+       usb_put_dev(dev->udev);
+       kfree(dev->usbc_buf);
+error_v4l2_unregister:
+       v4l2_device_unregister(&dev->v4l2_dev);
+error_free_dev:
+       kfree(dev);
+ error:
+-       if (dev) {
+-               flush_work(&dev->worker);
+-               /* this frees allocated memory */
+-               hdpvr_delete(dev);
+-       }
+        return retval;
+ }
+ 
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-05-21 16:13:15 +0200
committer	Adrian Mangeac <Adrian.Mangeac@enea.com>	2019-05-21 17:34:45 +0200
commit	da9582884e55558308fd67ade22a4f9eac1750a9 (patch)
tree	c43c3fdeffe75ca02d47d782074a6d8abcdd621d
parent	197bf9e8fc6b61145890c70edc0769ef38992b44 (diff)
download	enea-kernel-cache-da9582884e55558308fd67ade22a4f9eac1750a9.tar.gz

diff --git a/patches/cve/CVE-2017-16644-media-hdpvr-Fix-an-error-handling-path-in-hdpvr_prob.patch b/patches/cve/CVE-2017-16644-media-hdpvr-Fix-an-error-handling-path-in-hdpvr_prob.patch new file mode 100644 index 0000000..ee7e02a --- /dev/null +++ b/patches/cve/CVE-2017-16644-media-hdpvr-Fix-an-error-handling-path-in-hdpvr_prob.patch
@@ -0,0 +1,110 @@
	1	From dd24d173b50af3aadb1ea2e04edaa8d68ca59b23 Mon Sep 17 00:00:00 2001
	2	From: Arvind Yadav <arvind.yadav.cs@gmail.com>
	3	Date: Fri, 22 Sep 2017 09:07:06 -0400
	4	Subject: [PATCH] media: hdpvr: Fix an error handling path in hdpvr_probe()
	5
	6	commit c0f71bbb810237a38734607ca4599632f7f5d47f upstream.
	7
	8	Here, hdpvr_register_videodev() is responsible for setup and
	9	register a video device. Also defining and initializing a worker.
	10	hdpvr_register_videodev() is calling by hdpvr_probe at last.
	11	So no need to flush any work here.
	12	Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail.
	13
	14	CVE: CVE-2017-16644
	15	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=dd24d173b50af3aadb1ea2e04edaa8d68ca59b23]
	16
	17	Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
	18	Reported-by: Andrey Konovalov <andreyknvl@google.com>
	19	Tested-by: Andrey Konovalov <andreyknvl@google.com>
	20	Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
	21	Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
	22	Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
	23	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	24	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	25	---
	26	drivers/media/usb/hdpvr/hdpvr-core.c \| 26 +++++++++++++++-----------
	27	1 file changed, 15 insertions(+), 11 deletions(-)
	28
	29	diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c b/drivers/media/usb/hdpvr/hdpvr-core.c
	30	index dbe29c6c4d8b..1e8cbaf36896 100644
	31	--- a/drivers/media/usb/hdpvr/hdpvr-core.c
	32	+++ b/drivers/media/usb/hdpvr/hdpvr-core.c
	33	@@ -292,7 +292,7 @@ static int hdpvr_probe(struct usb_interface *interface,
	34	/* register v4l2_device early so it can be used for printks */
	35	if (v4l2_device_register(&interface->dev, &dev->v4l2_dev)) {
	36	dev_err(&interface->dev, "v4l2_device_register failed\n");
	37	- goto error;
	38	+ goto error_free_dev;
	39	}
	40
	41	mutex_init(&dev->io_mutex);
	42	@@ -301,7 +301,7 @@ static int hdpvr_probe(struct usb_interface *interface,
	43	dev->usbc_buf = kmalloc(64, GFP_KERNEL);
	44	if (!dev->usbc_buf) {
	45	v4l2_err(&dev->v4l2_dev, "Out of memory\n");
	46	- goto error;
	47	+ goto error_v4l2_unregister;
	48	}
	49
	50	init_waitqueue_head(&dev->wait_buffer);
	51	@@ -339,13 +339,13 @@ static int hdpvr_probe(struct usb_interface *interface,
	52	}
	53	if (!dev->bulk_in_endpointAddr) {
	54	v4l2_err(&dev->v4l2_dev, "Could not find bulk-in endpoint\n");
	55	- goto error;
	56	+ goto error_put_usb;
	57	}
	58
	59	/* init the device */
	60	if (hdpvr_device_init(dev)) {
	61	v4l2_err(&dev->v4l2_dev, "device init failed\n");
	62	- goto error;
	63	+ goto error_put_usb;
	64	}
	65
	66	mutex_lock(&dev->io_mutex);
	67	@@ -353,7 +353,7 @@ static int hdpvr_probe(struct usb_interface *interface,
	68	mutex_unlock(&dev->io_mutex);
	69	v4l2_err(&dev->v4l2_dev,
	70	"allocating transfer buffers failed\n");
	71	- goto error;
	72	+ goto error_put_usb;
	73	}
	74	mutex_unlock(&dev->io_mutex);
	75
	76	@@ -361,7 +361,7 @@ static int hdpvr_probe(struct usb_interface *interface,
	77	retval = hdpvr_register_i2c_adapter(dev);
	78	if (retval < 0) {
	79	v4l2_err(&dev->v4l2_dev, "i2c adapter register failed\n");
	80	- goto error;
	81	+ goto error_free_buffers;
	82	}
	83
	84	client = hdpvr_register_ir_rx_i2c(dev);
	85	@@ -394,13 +394,17 @@ static int hdpvr_probe(struct usb_interface *interface,
	86	reg_fail:
	87	#if IS_ENABLED(CONFIG_I2C)
	88	i2c_del_adapter(&dev->i2c_adapter);
	89	+error_free_buffers:
	90	#endif
	91	+ hdpvr_free_buffers(dev);
	92	+error_put_usb:
	93	+ usb_put_dev(dev->udev);
	94	+ kfree(dev->usbc_buf);
	95	+error_v4l2_unregister:
	96	+ v4l2_device_unregister(&dev->v4l2_dev);
	97	+error_free_dev:
	98	+ kfree(dev);
	99	error:
	100	- if (dev) {
	101	- flush_work(&dev->worker);
	102	- /* this frees allocated memory */
	103	- hdpvr_delete(dev);
	104	- }
	105	return retval;
	106	}
	107
	108	--
	109	2.20.1
	110