Bug 1358184 (CVE-2016-5400)

Summary: CVE-2016-5400 kernel: memory leak in airspy usb driver
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agordeev, aquini, arm-mgr, bhu, carnil, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kstutsma, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, nmurray, pholasek, plougher, pmatouse, rt-maint, rvrbovsk, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the linux kernel's implementation of the airspy USB device driver in which a leak was found when a subdev or SDR are plugged into the host. An attacker can create an targeted USB device which can emulate 64 of these devices. Then by emulating an additional device which continuously connects and disconnects, each connection attempt will leak memory which can not be recovered.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-26 04:10:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1358186    
Bug Blocks: 1356381    

Description Wade Mealing 2016-07-20 09:20:43 UTC 
A flaw was found in the linux kernel's implementation of the airspy USB device driver in which a leak was found when a subdev or SDR are plugged into the host.

An attacker can create an targeted USB device which can emulate 64 of
these devices. Then by emulating an additional device which continuously connects and disconnects, each connection attempt will leak memory which can not be recovered.

Upstream patch:
https://git.linuxtv.org/media_tree.git/commit/?id=eca2d34b9d2ce70165a50510659838e28ca22742
Comment 1 Wade Mealing 2016-07-20 09:21:37 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1358186]
Comment 2 Wade Mealing 2016-07-20 09:27:43 UTC 
Statement:

Red Hat Enterprise Linux is not affected by this flaw as this module is not available in shipping source code.
Comment 3 Wade Mealing 2016-07-20 09:31:31 UTC 
Acknowledgements:

Red Hat would like to thank James Patrick-Evans for bringing this to our attention.
Comment 5 Justin M. Forbes 2016-07-20 14:52:24 UTC 
Is there a fix posted anywhere? LKML wasn't copied it seems, and the mitre listing is still the default reserved text.
Comment 6 Wade Mealing 2016-07-25 00:45:51 UTC 
Gday Justin,

At this time, the patch has been submitted to the maintainer ( https://git.linuxtv.org/media_tree.git/commit/?id=eca2d34b9d2ce70165a50510659838e28ca22742 ) and we are awaiting the submission upstream.

Thanks

Wade Mealing
Red Hat Product Security
Comment 7 Adam Mariš 2016-07-28 07:38:51 UTC 
Is that patch really related to this issue? According to http://seclists.org/oss-sec/2016/q3/178 the following patch fixes this issue:

https://git.linuxtv.org/media_tree.git/commit/?id=aa93d1fee85c890a34f2510a310e55ee76a27848
Comment 8 Wade Mealing 2016-08-03 01:07:32 UTC 
Yep, fixing.
Comment 9 Fedora Update System 2016-08-08 20:24:57 UTC 
kernel-4.6.5-300.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2016-08-08 23:52:12 UTC 
kernel-4.6.5-200.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.