From: Greg Kroah-Hartman Date: Fri, 5 Mar 2021 10:43:50 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.260~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=db358d4fb92e81d656365bc7f8bb8d7e53046631;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: media-v4l-ioctl-fix-memory-leak-in-video_usercopy.patch --- diff --git a/queue-4.19/media-v4l-ioctl-fix-memory-leak-in-video_usercopy.patch b/queue-4.19/media-v4l-ioctl-fix-memory-leak-in-video_usercopy.patch new file mode 100644 index 00000000000..434bfa050cb --- /dev/null +++ b/queue-4.19/media-v4l-ioctl-fix-memory-leak-in-video_usercopy.patch @@ -0,0 +1,84 @@ +From fb18802a338b36f675a388fc03d2aa504a0d0899 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Sat, 19 Dec 2020 23:29:58 +0100 +Subject: media: v4l: ioctl: Fix memory leak in video_usercopy + +From: Sakari Ailus + +commit fb18802a338b36f675a388fc03d2aa504a0d0899 upstream. + +When an IOCTL with argument size larger than 128 that also used array +arguments were handled, two memory allocations were made but alas, only +the latter one of them was released. This happened because there was only +a single local variable to hold such a temporary allocation. + +Fix this by adding separate variables to hold the pointers to the +temporary allocations. + +Reported-by: Arnd Bergmann +Reported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com +Fixes: d14e6d76ebf7 ("[media] v4l: Add multi-planar ioctl handling code") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Acked-by: Arnd Bergmann +Acked-by: Hans Verkuil +Reviewed-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ioctl.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -2939,7 +2939,7 @@ video_usercopy(struct file *file, unsign + v4l2_kioctl func) + { + char sbuf[128]; +- void *mbuf = NULL; ++ void *mbuf = NULL, *array_buf = NULL; + void *parg = (void *)arg; + long err = -EINVAL; + bool has_array_args; +@@ -2998,20 +2998,14 @@ video_usercopy(struct file *file, unsign + has_array_args = err; + + if (has_array_args) { +- /* +- * When adding new types of array args, make sure that the +- * parent argument to ioctl (which contains the pointer to the +- * array) fits into sbuf (so that mbuf will still remain +- * unused up to here). +- */ +- mbuf = kvmalloc(array_size, GFP_KERNEL); ++ array_buf = kvmalloc(array_size, GFP_KERNEL); + err = -ENOMEM; +- if (NULL == mbuf) ++ if (array_buf == NULL) + goto out_array_args; + err = -EFAULT; +- if (copy_from_user(mbuf, user_ptr, array_size)) ++ if (copy_from_user(array_buf, user_ptr, array_size)) + goto out_array_args; +- *kernel_ptr = mbuf; ++ *kernel_ptr = array_buf; + } + + /* Handles IOCTL */ +@@ -3030,7 +3024,7 @@ video_usercopy(struct file *file, unsign + + if (has_array_args) { + *kernel_ptr = (void __force *)user_ptr; +- if (copy_to_user(user_ptr, mbuf, array_size)) ++ if (copy_to_user(user_ptr, array_buf, array_size)) + err = -EFAULT; + goto out_array_args; + } +@@ -3052,6 +3046,7 @@ out_array_args: + } + + out: ++ kvfree(array_buf); + kvfree(mbuf); + return err; + } diff --git a/queue-4.19/series b/queue-4.19/series index 96fbd3537ba..5bd238d4b6e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -47,3 +47,4 @@ xen-gnttab-handle-p2m-update-errors-on-a-per-slot-basis.patch xen-netback-respect-gnttab_map_refs-s-return-value.patch zsmalloc-account-the-number-of-compacted-pages-correctly.patch swap-fix-swapfile-read-write-offset.patch +media-v4l-ioctl-fix-memory-leak-in-video_usercopy.patch