From: Arjan van de Ven <arjan.com> NULL function pointers are very bad security wise. This one got caught by kerneloops.org quite a few times, so it's happening in the field.... Fix is simple, check the function pointer for NULL, like 6 other places in the same function are already doing.
Created attachment 323147 [details] Proposed upstream patch
Created attachment 323605 [details] Fix OOPS at chip_command call when handling VIDIOC_S_CTRL This is the proper patch to fix the bug. I've already commented about it upstream, at: http://lkml.org/lkml/2008/11/14/169 I'll be sending also a pull request soon for the tvaudio patch series.
Upstream request sent: http://lkml.org/lkml/2008/11/14/202 I should be backporting the patches to RHEL kernels soon.
(In reply to comment #11) > Created an attachment (id=323605) [details] > Fix OOPS at chip_command call when handling VIDIOC_S_CTRL > > This is the proper patch to fix the bug. > > I've already commented about it upstream, at: > > http://lkml.org/lkml/2008/11/14/169 > > I'll be sending also a pull request soon for the tvaudio patch series. Correct proposed upstream patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=01a1a3cc1e3fbe718bd06a2a5d4d1a2d0fb4d7d9
(In reply to comment #14) > (In reply to comment #11) > > Created an attachment (id=323605) [details] [details] > > Fix OOPS at chip_command call when handling VIDIOC_S_CTRL > > > > This is the proper patch to fix the bug. > > > > I've already commented about it upstream, at: > > > > http://lkml.org/lkml/2008/11/14/169 > > > > I'll be sending also a pull request soon for the tvaudio patch series. > > Correct proposed upstream patch: > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=01a1a3cc1e3fbe718bd06a2a5d4d1a2d0fb4d7d9 "This bug were supposed to be fixed by 5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1, where a call to NULL happens. Not all tvaudio chips allow controlling bass/treble. So, the driver has a table with a flag to indicate if the chip does support it. Unfortunately, the handling of this logic were broken for a very long time (probably since the first module version). Due to that, an OOPS were generated for devices that don't support bass/treble." FYI.
The bass/treble breakage were a regression, caused due to this changeset: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=dc3d75da05c3ff2dd6510c32a11deacced49d1a1 The changeset replaced the old V4L1 ioctls VIDIOCGAUDIO and VIDIOCSAUDIO into the V4L2 ones: VIDIOC_QUERYCTRL, VIDIOC_S_CTRL and VIDIOC_G_CTRL, unfortunately using an inverted logic when setting bass level. So, it were basically replacing KABI for a more modern one. Since changeset dc3d75da05c3ff2dd6510c32a11deacced49d1a1 weren't applied at RHEL kernels, they aren't vulnerable for CVE-2008-5033.
This bug were due to KABI changes from V4L1 to V4L2 API. They don't affect RHEL/MRG kernels.