videobuf2-core: Fix crash after fixing CVE-2016-4568
This commit is contained in:
parent
3eae053b85
commit
48902f4f1a
|
@ -122,6 +122,7 @@ linux (4.5.4-1) UNRELEASED; urgency=medium
|
||||||
* isofs: get_rock_ridge_filename(): handle malformed NM entries
|
* isofs: get_rock_ridge_filename(): handle malformed NM entries
|
||||||
* uapi glibc compat: fix compile errors when glibc net/if.h included
|
* uapi glibc compat: fix compile errors when glibc net/if.h included
|
||||||
before linux/if.h (Closes: #822393)
|
before linux/if.h (Closes: #822393)
|
||||||
|
* videobuf2-core: Fix crash after fixing CVE-2016-4568
|
||||||
|
|
||||||
-- Aurelien Jarno <aurel32@debian.org> Tue, 10 May 2016 23:58:07 +0200
|
-- Aurelien Jarno <aurel32@debian.org> Tue, 10 May 2016 23:58:07 +0200
|
||||||
|
|
||||||
|
|
25
debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
vendored
Normal file
25
debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
vendored
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
From: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
Date: Mon, 16 May 2016 03:26:30 +0100
|
||||||
|
Subject: videobuf2-core: Fix crash after fixing CVE-2016-4568
|
||||||
|
|
||||||
|
Commit 2c1f6951a8a8 "[media] videobuf2-v4l2: Verify planes array in buffer
|
||||||
|
dequeueing" was reverted upstream by commit 93f0750dcdae.
|
||||||
|
|
||||||
|
It's obvious from the log in the revert commit message that pb == NULL
|
||||||
|
in __verify_planes_array(). We should treat this case as successful
|
||||||
|
because vb2_core_dqbuf() won't attempt to copy anything to user
|
||||||
|
buffers.
|
||||||
|
|
||||||
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
---
|
||||||
|
--- a/drivers/media/v4l2-core/videobuf2-core.c
|
||||||
|
+++ b/drivers/media/v4l2-core/videobuf2-core.c
|
||||||
|
@@ -1665,7 +1665,7 @@ static int __vb2_get_done_vb(struct vb2_
|
||||||
|
* Only remove the buffer from done_list if v4l2_buffer can handle all
|
||||||
|
* the planes.
|
||||||
|
*/
|
||||||
|
- ret = call_bufop(q, verify_planes_array, *vb, pb);
|
||||||
|
+ ret = pb ? call_bufop(q, verify_planes_array, *vb, pb) : 0;
|
||||||
|
if (!ret)
|
||||||
|
list_del(&(*vb)->done_entry);
|
||||||
|
spin_unlock_irqrestore(&q->done_lock, flags);
|
|
@ -17,8 +17,8 @@ genksyms. Set and check the flag as necessary.
|
||||||
* Only remove the buffer from done_list if v4l2_buffer can handle all
|
* Only remove the buffer from done_list if v4l2_buffer can handle all
|
||||||
* the planes.
|
* the planes.
|
||||||
*/
|
*/
|
||||||
- ret = call_bufop(q, verify_planes_array, *vb, pb);
|
- ret = pb ? call_bufop(q, verify_planes_array, *vb, pb) : 0;
|
||||||
+ ret = q->have_verify_planes_array ?
|
+ ret = (pb && q->have_verify_planes_array) ?
|
||||||
+ call_bufop(q, verify_planes_array, *vb, pb) : 0;
|
+ call_bufop(q, verify_planes_array, *vb, pb) : 0;
|
||||||
if (!ret)
|
if (!ret)
|
||||||
list_del(&(*vb)->done_entry);
|
list_del(&(*vb)->done_entry);
|
||||||
|
|
|
@ -86,6 +86,7 @@ bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch
|
||||||
bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
|
bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
|
||||||
bugfix/all/mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
|
bugfix/all/mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
|
||||||
bugfix/all/uapi-glibc-compat-fix-compile-errors-when-glibc-net-.patch
|
bugfix/all/uapi-glibc-compat-fix-compile-errors-when-glibc-net-.patch
|
||||||
|
bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
|
||||||
|
|
||||||
# Miscellaneous features
|
# Miscellaneous features
|
||||||
features/all/mm-exclude-zone_device-from-gfp_zone_table.patch
|
features/all/mm-exclude-zone_device-from-gfp_zone_table.patch
|
||||||
|
|
Loading…
Reference in New Issue