[linux] 03/03: videobuf2-core: Fix crash after fixing CVE-2016-4568
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon May 16 02:34:57 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit 48902f4f1ab8ed1f8ff8a822f523bb1b85961453
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Mon May 16 03:33:38 2016 +0100
videobuf2-core: Fix crash after fixing CVE-2016-4568
---
debian/changelog | 1 +
...core-fix-crash-after-fixing-cve-2016-4568.patch | 25 ++++++++++++++++++++++
.../debian/v4l2-fix-abi-changes-in-4.5.3.patch | 4 ++--
debian/patches/series | 1 +
4 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 639802a..ec92e8f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -122,6 +122,7 @@ linux (4.5.4-1) UNRELEASED; urgency=medium
* isofs: get_rock_ridge_filename(): handle malformed NM entries
* uapi glibc compat: fix compile errors when glibc net/if.h included
before linux/if.h (Closes: #822393)
+ * videobuf2-core: Fix crash after fixing CVE-2016-4568
-- Aurelien Jarno <aurel32 at debian.org> Tue, 10 May 2016 23:58:07 +0200
diff --git a/debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch b/debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
new file mode 100644
index 0000000..8c80f98
--- /dev/null
+++ b/debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
@@ -0,0 +1,25 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Mon, 16 May 2016 03:26:30 +0100
+Subject: videobuf2-core: Fix crash after fixing CVE-2016-4568
+
+Commit 2c1f6951a8a8 "[media] videobuf2-v4l2: Verify planes array in buffer
+dequeueing" was reverted upstream by commit 93f0750dcdae.
+
+It's obvious from the log in the revert commit message that pb == NULL
+in __verify_planes_array(). We should treat this case as successful
+because vb2_core_dqbuf() won't attempt to copy anything to user
+buffers.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/drivers/media/v4l2-core/videobuf2-core.c
++++ b/drivers/media/v4l2-core/videobuf2-core.c
+@@ -1665,7 +1665,7 @@ static int __vb2_get_done_vb(struct vb2_
+ * Only remove the buffer from done_list if v4l2_buffer can handle all
+ * the planes.
+ */
+- ret = call_bufop(q, verify_planes_array, *vb, pb);
++ ret = pb ? call_bufop(q, verify_planes_array, *vb, pb) : 0;
+ if (!ret)
+ list_del(&(*vb)->done_entry);
+ spin_unlock_irqrestore(&q->done_lock, flags);
diff --git a/debian/patches/debian/v4l2-fix-abi-changes-in-4.5.3.patch b/debian/patches/debian/v4l2-fix-abi-changes-in-4.5.3.patch
index 4c63bff..be324fd 100644
--- a/debian/patches/debian/v4l2-fix-abi-changes-in-4.5.3.patch
+++ b/debian/patches/debian/v4l2-fix-abi-changes-in-4.5.3.patch
@@ -17,8 +17,8 @@ genksyms. Set and check the flag as necessary.
* Only remove the buffer from done_list if v4l2_buffer can handle all
* the planes.
*/
-- ret = call_bufop(q, verify_planes_array, *vb, pb);
-+ ret = q->have_verify_planes_array ?
+- ret = pb ? call_bufop(q, verify_planes_array, *vb, pb) : 0;
++ ret = (pb && q->have_verify_planes_array) ?
+ call_bufop(q, verify_planes_array, *vb, pb) : 0;
if (!ret)
list_del(&(*vb)->done_entry);
diff --git a/debian/patches/series b/debian/patches/series
index 488677b..bf28b48 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -86,6 +86,7 @@ bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch
bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
bugfix/all/mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
bugfix/all/uapi-glibc-compat-fix-compile-errors-when-glibc-net-.patch
+bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
# Miscellaneous features
features/all/mm-exclude-zone_device-from-gfp_zone_table.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list