[linux] 02/02: media: usbvision-video: fix memory leak of alt_max_pkt_size

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Dec 2 23:04:28 UTC 2015 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch squeeze-security
in repository linux.

commit 1ff9893458ce1eb9e3aead95ef0420eee676667b
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Dec 2 23:03:40 2015 +0000

    media: usbvision-video: fix memory leak of alt_max_pkt_size
    
    This is sort of a dependency of the other fixes.
---
 debian/changelog                                   |  1 +
 ...sion-fix-crash-on-detecting-device-with-i.patch |  2 +-
 ...sion-fix-leak-of-usb_dev-on-failure-paths.patch | 20 +++++------
 ...sion-video-fix-memory-leak-of-alt_max_pkt.patch | 41 ++++++++++++++++++++++
 ...sbvision-fix-overflow-of-interfaces-array.patch |  2 +-
 debian/patches/series/48squeeze17                  |  1 +
 6 files changed, 54 insertions(+), 13 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index e36e008..0c40e96 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,7 @@ linux-2.6 (2.6.32-48squeeze17) UNRELEASED; urgency=medium
   * isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
   * ppp, slip: Validate VJ compression slot parameters completely
     (CVE-2015-7799)
+  * media: usbvision-video: fix memory leak of alt_max_pkt_size
   * media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe()
   * media: usbvision: fix overflow of interfaces array (CVE-2015-7833)
   * media: usbvision: fix crash on detecting device with invalid
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
index 2c06c45..6a6caab 100644
--- a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
+++ b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
@@ -15,7 +15,7 @@ Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
 ---
 --- a/drivers/media/video/usbvision/usbvision-video.c
 +++ b/drivers/media/video/usbvision/usbvision-video.c
-@@ -1661,10 +1661,23 @@ static int __devinit usbvision_probe(str
+@@ -1662,10 +1662,23 @@ static int __devinit usbvision_probe(str
  
  	if (usbvision_device_data[model].Interface >= 0) {
  		interface = &dev->actconfig->interface[usbvision_device_data[model].Interface]->altsetting[0];
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch b/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
index 1e8de3f..cbba45c 100644
--- a/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
+++ b/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
@@ -11,9 +11,7 @@ Found by Linux Driver Verification project (linuxtesting.org).
 Signed-off-by: Alexey Khoroshilov <khoroshilov at ispras.ru>
 Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
 Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
-[bwh: Backported to 2.6.32:
- - The extra cleanup needed at err_pkt is mutex_unlock()
- - Adjust filename, context]
+[bwh: Backported to 2.6.32: adjust filename, context]
 ---
  drivers/media/video/usbvision/usbvision-video.c | 24 +++++++++++++++++-------
  1 file changed, 17 insertions(+), 7 deletions(-)
@@ -22,7 +20,7 @@ diff --git a/drivers/media/video/usbvision/usbvision-video.c b/drivers/media/vid
 index 2579c87..12b403e 100644
 --- a/drivers/media/video/usbvision/usbvision-video.c
 +++ b/drivers/media/video/usbvision/usbvision-video.c
-@@ -1637,7 +1637,7 @@ static int usbvision_probe(struct usb_interface *intf,
+@@ -1638,7 +1638,7 @@ static int usbvision_probe(struct usb_interface *intf,
  	const struct usb_host_interface *interface;
  	struct usb_usbvision *usbvision = NULL;
  	const struct usb_endpoint_descriptor *endpoint;
@@ -31,7 +29,7 @@ index 2579c87..12b403e 100644
  
  	PDEBUG(DBG_PROBE, "VID=%#04x, PID=%#04x, ifnum=%u",
  				dev->descriptor.idVendor,
-@@ -1646,7 +1646,8 @@ static int usbvision_probe(struct usb_interface *intf,
+@@ -1647,7 +1647,8 @@ static int usbvision_probe(struct usb_interface *intf,
  	model = devid->driver_info;
  	if ( (model<0) || (model>=usbvision_device_data_size) ) {
  		PDEBUG(DBG_PROBE, "model out of bounds %d",model);
@@ -41,7 +39,7 @@ index 2579c87..12b403e 100644
  	}
  	printk(KERN_INFO "%s: %s found\n", __func__,
  				usbvision_device_data[model].ModelString);
-@@ -1662,18 +1663,21 @@ static int usbvision_probe(struct usb_interface *intf,
+@@ -1663,18 +1664,21 @@ static int usbvision_probe(struct usb_interface *intf,
  		    __func__, ifnum);
  		dev_err(&intf->dev, "%s: Endpoint attributes %d",
  		    __func__, endpoint->bmAttributes);
@@ -66,24 +64,24 @@ index 2579c87..12b403e 100644
  	}
  
  	if (dev->descriptor.bNumConfigurations > 1) {
-@@ -1696,8 +1700,8 @@ static int usbvision_probe(struct usb_interface *intf,
- 					      usbvision->num_alt,GFP_KERNEL);
+@@ -1698,8 +1702,8 @@ static int usbvision_probe(struct usb_interface *intf,
  	if (usbvision->alt_max_pkt_size == NULL) {
  		dev_err(&intf->dev, "usbvision: out of memory!\n");
--		mutex_unlock(&usbvision->lock);
+ 		mutex_unlock(&usbvision->lock);
+-		usbvision_release(usbvision);
 -		return -ENOMEM;
 +		ret = -ENOMEM;
 +		goto err_pkt;
  	}
  
  	for (i = 0; i < usbvision->num_alt ; i++) {
-@@ -1736,6 +1740,12 @@ static int usbvision_probe(struct usb_interface *intf,
+@@ -1737,6 +1741,12 @@ static int usbvision_probe(struct usb_interface *intf,
  
  	PDEBUG(DBG_PROBE, "success");
  	return 0;
 +
 +err_pkt:
-+	mutex_unlock(&usbvision->lock);
++	usbvision_release(usbvision);
 +err_usb:
 +	usb_put_dev(dev);
 +	return ret;
diff --git a/debian/patches/bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch b/debian/patches/bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch
new file mode 100644
index 0000000..b237d64
--- /dev/null
+++ b/debian/patches/bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch
@@ -0,0 +1,41 @@
+From: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Date: Mon, 10 Jun 2013 17:32:29 -0300
+Subject: [media] usbvision-video: fix memory leak of alt_max_pkt_size
+Origin: https://git.kernel.org/linus/090c65b694c362adb19ec9c27de216a808ee443c
+
+1. usbvision->alt_max_pkt_size is not deallocated anywhere.
+2. if allocation of usbvision->alt_max_pkt_size fails,
+there is no proper deallocation of already acquired resources.
+The patch adds kfree(usbvision->alt_max_pkt_size) to
+usbvision_release() as soon as other deallocations happen there.
+It calls usbvision_release() if allocation of
+usbvision->alt_max_pkt_size fails as soon as usbvision_release()
+is safe to work with incompletely initialized usbvision structure.
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+[bwh: Backported to 2.6.32: adjust filename, context]
+---
+ drivers/media/video/usbvision/usbvision-video.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/video/usbvision/usbvision-video.c
++++ b/drivers/media/video/usbvision/usbvision-video.c
+@@ -1575,6 +1575,7 @@ static void usbvision_release(struct usb
+ 
+ 	usbvision_remove_sysfs(usbvision->vdev);
+ 	usbvision_unregister_video(usbvision);
++	kfree(usbvision->alt_max_pkt_size);
+ 
+ 	if (usbvision->ctrlUrb) {
+ 		usb_free_urb(usbvision->ctrlUrb);
+@@ -1697,6 +1698,7 @@ static int __devinit usbvision_probe(str
+ 	if (usbvision->alt_max_pkt_size == NULL) {
+ 		dev_err(&intf->dev, "usbvision: out of memory!\n");
+ 		mutex_unlock(&usbvision->lock);
++		usbvision_release(usbvision);
+ 		return -ENOMEM;
+ 	}
+ 
diff --git a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
index b718295..951706a 100644
--- a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
+++ b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
@@ -18,7 +18,7 @@ Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
 
 --- a/drivers/media/video/usbvision/usbvision-video.c
 +++ b/drivers/media/video/usbvision/usbvision-video.c
-@@ -1652,6 +1652,13 @@ static int usbvision_probe(struct usb_interface *intf,
+@@ -1653,6 +1653,13 @@ static int usbvision_probe(struct usb_interface *intf,
  	printk(KERN_INFO "%s: %s found\n", __func__,
  				usbvision_device_data[model].ModelString);
  
diff --git a/debian/patches/series/48squeeze17 b/debian/patches/series/48squeeze17
index 89e2438..1f70412 100644
--- a/debian/patches/series/48squeeze17
+++ b/debian/patches/series/48squeeze17
@@ -1,6 +1,7 @@
 + bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
 + bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
 + bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
++ bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch
 + bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
 + bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
 + bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list