979022 – (CVE-2016-4568) VUL-0: CVE-2016-4568: kernel: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing

Bug 979022 (CVE-2016-4568) - VUL-0: CVE-2016-4568: kernel: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing

Summary: VUL-0: CVE-2016-4568: kernel: [media] videobuf2-v4l2: Verify planes array in ...

Status:	RESOLVED FIXED

Alias:	CVE-2016-4568

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/168719/
Whiteboard:	CVSSv2:SUSE:CVE-2016-4568:4.4:(AV:L/A...
Keywords:

Depends on:	981516
Blocks:
	Show dependency tree / graph

Clone This Bug

Reported:	2016-05-09 09:01 UTC by Sebastian Krahmer
Modified:	2020-06-29 06:24 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2016-05-09 09:01:08 UTC

CVE-2016-4568



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4568
http://seclists.org/oss-sec/2016/q2/273

Comment 1 Borislav Petkov 2016-05-13 10:20:16 UTC

Upstream patch is

2c1f6951a8a8 ("[media] videobuf2-v4l2: Verify planes array in buffer dequeueing")

and the one it fixes is

b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2")

which is upstream since 4.4. Fix 2c1f6951a8a8 is tagged for stable and
since we haven't released 12PS2 yet, I'll wait for that fix to trickle
down with the stable updates.

Leaving it assigned to me until then.

Comment 2 Borislav Petkov 2016-05-13 11:46:49 UTC

Ok, a bit of change of plans. We're reverting:

http://git.kernel.org/cgit/linux/kernel/git/mchehab/linux-media.git/commit/?h=media/v4.6-6&id=93f0750dcdaed083d6209b01e952e98ca730db66

https://lkml.kernel.org/r/20160513083224.1c2935c6@recife.lan

Looks like we'll be getting another fix ...

Comment 3 Marcus Meissner 2016-05-25 06:30:46 UTC

does it affect older products?

Comment 4 Borislav Petkov 2016-05-25 08:57:57 UTC

problem introduced in kernel 4.4, so only sles12 sp2 affected.

Comment 5 Borislav Petkov 2016-06-07 09:38:35 UTC

Ok, looked again, so the revert is CC:stable and we'll get it eventually.

However, the problem the reverted was trying to fix still persists in

  b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2")

but we'll get another fix which should also be CC:stable apparently.

Comment 6 Joerg Roedel 2016-07-20 10:56:18 UTC

FTR, the new fixes seem to be:

126f402 [media] vb2: core: Skip planes array verification if pb is NULL
83934b7 [media] videobuf2-v4l2: Verify planes array in buffer dequeueing

They are currently in linux-next, not yet upstream. Both are tagged for stable.
The second patch is identical to the original fix ('2c1f6951a8a8').

Comment 7 Borislav Petkov 2016-07-25 11:31:37 UTC

On their way upstream:

https://lkml.kernel.org/r/20160725081835.1812283e@recife.lan

Leaving it open until it lands in stable and then in 12SP2.

Comment 8 Borislav Petkov 2016-10-25 11:48:05 UTC

Ok, patches are in 12SP2, bouncing back.

FTR, the reason for this confusion is that the first patch:

  2c1f6951a8a8 [media] videobuf2-v4l2: Verify planes array in buffer dequeueing

was committed before this one:

  126f40298446 ("[media] vb2: core: Skip planes array verification if pb is NULL")

which caused the breakage on pb being NULL.

They're both in now so we should be good.

Comment 9 Marcus Meissner 2017-03-01 13:33:32 UTC

126f40298446 is in patches.kernel.org/patch-4.4.18-19

we released it in SLES 12 SP2 GA already.