videobuf2-core: Fix crash after fixing CVE-2016-4568
This commit is contained in:
Ben Hutchings
parent
3eae053b85
commit
48902f4f1a
|
|
@ -122,6 +122,7 @@ linux (4.5.4-1) UNRELEASED; urgency=medium
|
|||
* isofs: get_rock_ridge_filename(): handle malformed NM entries
|
||||
* uapi glibc compat: fix compile errors when glibc net/if.h included
|
||||
before linux/if.h (Closes: #822393)
|
||||
* videobuf2-core: Fix crash after fixing CVE-2016-4568
|
||||
|
||||
-- Aurelien Jarno <aurel32@debian.org> Tue, 10 May 2016 23:58:07 +0200
|
||||
|
||||
|
|
|
|||
25
debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
vendored
Normal file
25
debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
vendored
Normal file
|
|
@ -0,0 +1,25 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Mon, 16 May 2016 03:26:30 +0100
|
||||
Subject: videobuf2-core: Fix crash after fixing CVE-2016-4568
|
||||
|
||||
Commit 2c1f6951a8a8 "[media] videobuf2-v4l2: Verify planes array in buffer
|
||||
dequeueing" was reverted upstream by commit 93f0750dcdae.
|
||||
|
||||
It's obvious from the log in the revert commit message that pb == NULL
|
||||
in __verify_planes_array(). We should treat this case as successful
|
||||
because vb2_core_dqbuf() won't attempt to copy anything to user
|
||||
buffers.
|
||||
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
--- a/drivers/media/v4l2-core/videobuf2-core.c
|
||||
+++ b/drivers/media/v4l2-core/videobuf2-core.c
|
||||
@@ -1665,7 +1665,7 @@ static int __vb2_get_done_vb(struct vb2_
|
||||
* Only remove the buffer from done_list if v4l2_buffer can handle all
|
||||
* the planes.
|
||||
*/
|
||||
- ret = call_bufop(q, verify_planes_array, *vb, pb);
|
||||
+ ret = pb ? call_bufop(q, verify_planes_array, *vb, pb) : 0;
|
||||
if (!ret)
|
||||
list_del(&(*vb)->done_entry);
|
||||
spin_unlock_irqrestore(&q->done_lock, flags);
|
||||
|
|
@ -17,8 +17,8 @@ genksyms. Set and check the flag as necessary.
|
|||
* Only remove the buffer from done_list if v4l2_buffer can handle all
|
||||
* the planes.
|
||||
*/
|
||||
- ret = call_bufop(q, verify_planes_array, *vb, pb);
|
||||
+ ret = q->have_verify_planes_array ?
|
||||
- ret = pb ? call_bufop(q, verify_planes_array, *vb, pb) : 0;
|
||||
+ ret = (pb && q->have_verify_planes_array) ?
|
||||
+ call_bufop(q, verify_planes_array, *vb, pb) : 0;
|
||||
if (!ret)
|
||||
list_del(&(*vb)->done_entry);
|
||||
|
|
|
|||
|
|
@ -86,6 +86,7 @@ bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch
|
|||
bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
|
||||
bugfix/all/mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
|
||||
bugfix/all/uapi-glibc-compat-fix-compile-errors-when-glibc-net-.patch
|
||||
bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
|
||||
|
||||
# Miscellaneous features
|
||||
features/all/mm-exclude-zone_device-from-gfp_zone_table.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue