Description of problem: Since videobuf allocates memory on mmap(), calling mmap enough times for the same buffer (offset) resulted in a new memory allocation by videobuf on each such call and losing the old allocation, resulting in a leak each time and the system running out of memory.
/dev/video has perms of 660, and only users in video group can trigger the issue. The machine needs to have a USB stick or webcam. However, on certain configuration, like a video surveillance server, it is quite like possible that users are given access to this group. Very low risk, non-default configuration. mrg-1.2 not affected (no VIDEOBUF_VMALLOC in drivers/media/video/em28xx/Kconfig; old implementation). rhel-6 and fedora are affected. mrg-1.3 is affected (grep -ir 28xx MRG/config-*).
This was publicly discussed and logged here: http://linuxtv.org/irc/v4l/index.php?date=2010-07-29.
> The default permissions on RHEL5 are 0600: > > $ ls -la /dev/video0 > crw------- 1 root root 81, 0 Ago 3 19:29 /dev/video0 So on rhel-5, this isn't a security issue to begin with.
CVE assignment: http://www.openwall.com/lists/oss-security/2015/02/08/4
Statement: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5. This issue does affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG 2. Based on the absence of upstream patch addressing this issue in VIDEOBUF (newer drivers using VIDEOBUF2 are not affected) implementation and that Red Hat Product Security has rated this issue as having Low security impact, this issue is not currently planned to be addressed in future kernel updates for the respective releases. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.