Bug 620629 (CVE-2010-5321)

Summary: CVE-2010-5321 kernel: v4l: videobuf: hotfix a bug on multiple calls to mmap()
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: arozansk, bhu, carnil, fhrbata, jkacur, kmcmartin, kzhang, lgoncalv, lwang, pmatouse, security-response-team, tcallawa, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-18 13:59:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 620630, 621021, 631669    
Bug Blocks: 1190513    

Description Eugene Teo (Security Response) 2010-08-03 04:22:06 UTC 
Description of problem:
Since videobuf allocates memory on mmap(), calling mmap enough times for the same buffer (offset) resulted in a new memory allocation by videobuf on each such call and losing the old allocation, resulting in a leak each time and the system running out of memory.
Comment 2 Eugene Teo (Security Response) 2010-08-04 01:53:01 UTC 
/dev/video has perms of 660, and only users in video group can trigger the issue. The machine needs to have a USB stick or webcam. However, on certain configuration, like a video surveillance server, it is quite like possible that users are given access to this group. Very low risk, non-default configuration.

mrg-1.2 not affected (no VIDEOBUF_VMALLOC in drivers/media/video/em28xx/Kconfig; old implementation). rhel-6 and fedora are affected. mrg-1.3 is affected (grep -ir 28xx MRG/config-*).
Comment 4 Eugene Teo (Security Response) 2010-08-04 01:54:57 UTC 
This was publicly discussed and logged here: http://linuxtv.org/irc/v4l/index.php?date=2010-07-29.
Comment 5 Eugene Teo (Security Response) 2010-08-04 03:44:31 UTC 
> The default permissions on RHEL5 are 0600:
> 
> $ ls -la /dev/video0
> crw------- 1 root root 81, 0 Ago  3 19:29 /dev/video0

So on rhel-5, this isn't a security issue to begin with.
Comment 7 Petr Matousek 2015-05-07 12:51:51 UTC 
CVE assignment:

  http://www.openwall.com/lists/oss-security/2015/02/08/4
Comment 8 Petr Matousek 2015-05-18 13:59:56 UTC 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5. This issue does affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG 2.

Based on the absence of upstream patch addressing this issue in VIDEOBUF (newer drivers using VIDEOBUF2 are not affected) implementation and that Red Hat Product Security has rated this issue as having Low security impact, this issue is not currently planned to be addressed in future kernel updates for the respective releases. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.