Bug 620629 (CVE-2010-5321) - CVE-2010-5321 kernel: v4l: videobuf: hotfix a bug on multiple calls to mmap()
Summary: CVE-2010-5321 kernel: v4l: videobuf: hotfix a bug on multiple calls to mmap()
Status: CLOSED WONTFIX
Alias: CVE-2010-5321
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: reported=20100803,public=20100729,sou...
Keywords: Security
Depends On: 620630 621021 631669
Blocks: 1190513
TreeView+ depends on / blocked
 
Reported: 2010-08-03 04:22 UTC by Eugene Teo (Security Response)
Modified: 2019-06-08 13:04 UTC (History)
14 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-05-18 13:59:56 UTC


Attachments (Terms of Use)

Description Eugene Teo (Security Response) 2010-08-03 04:22:06 UTC
Description of problem:
Since videobuf allocates memory on mmap(), calling mmap enough times for the same buffer (offset) resulted in a new memory allocation by videobuf on each such call and losing the old allocation, resulting in a leak each time and the system running out of memory.

Comment 2 Eugene Teo (Security Response) 2010-08-04 01:53:01 UTC
/dev/video has perms of 660, and only users in video group can trigger the issue. The machine needs to have a USB stick or webcam. However, on certain configuration, like a video surveillance server, it is quite like possible that users are given access to this group. Very low risk, non-default configuration.

mrg-1.2 not affected (no VIDEOBUF_VMALLOC in drivers/media/video/em28xx/Kconfig; old implementation). rhel-6 and fedora are affected. mrg-1.3 is affected (grep -ir 28xx MRG/config-*).

Comment 4 Eugene Teo (Security Response) 2010-08-04 01:54:57 UTC
This was publicly discussed and logged here: http://linuxtv.org/irc/v4l/index.php?date=2010-07-29.

Comment 5 Eugene Teo (Security Response) 2010-08-04 03:44:31 UTC
> The default permissions on RHEL5 are 0600:
> 
> $ ls -la /dev/video0
> crw------- 1 root root 81, 0 Ago  3 19:29 /dev/video0

So on rhel-5, this isn't a security issue to begin with.

Comment 7 Petr Matousek 2015-05-07 12:51:51 UTC
CVE assignment:

  http://www.openwall.com/lists/oss-security/2015/02/08/4

Comment 8 Petr Matousek 2015-05-18 13:59:56 UTC
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5. This issue does affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG 2.

Based on the absence of upstream patch addressing this issue in VIDEOBUF (newer drivers using VIDEOBUF2 are not affected) implementation and that Red Hat Product Security has rated this issue as having Low security impact, this issue is not currently planned to be addressed in future kernel updates for the respective releases. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.