Few Linux Kernel flaws found in the Video for Linux version 2 (V4L2). It happens for test driver (like in function vid_cap_queue_setup of drivers/media/test-drivers/vivid/vivid-vid-cap.c that user can trigger when writing to the /dev/videoX), and it is enabled if config param CONFIG_VIDEO_V4L2 set (possibly required other param is CONFIG_VIDEO_VIVID). All three cases for similar code and with similar impact ("divide by zero error", "memory leak" and "Integer overflow" types): 1. When setting the DV timings for input or output, use the v4l2_bt_timings parameter passed in by the user. When calculating the horizontal freq, the parameter was not checked properly, which caused a division by zero error. 2. Conditional competition causes size to expand when v4l_G_fMT calls copy_to_user, which can cause information leakage on the heap. However, user_copy protection can be prevented. 3. A 32-bit integer multiplication overflow occurred when vid_cap_queue_setup calculated the frame buffer size, resulting in a memcpy out-of-bounds vulnerability when accessing memory later
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2166322]
> Few Linux Kernel flaws found in the Video for Linux version 2 (V4L2). It happens for test driver (like in function vid_cap_queue_setup of drivers/media/test-drivers/vivid/vivid-vid-cap.c that user can trigger when writing to the /dev/videoX), and it is enabled if config param CONFIG_VIDEO_V4L2 set. At least in the current (6.2-rc#) kernel code the vivid test code has its own Kconfig option CONFIG_VIDEO_VIVID. So disabling that should be enough to mitigate these security issues. Note that completely disabling CONFIG_VIDEO_V4L2 will disable all support for video input devices, including UVC webcams found on almost all laptops, so that is a bad idea.
Some more info in this: RHEL-8: ------- With 4.18 kernels, including the RHEL 8 4.18 sources, building vivid depends on CONFIG_V4L_TEST_DRIVERS and the latest RHEL-8 kernel config has: # Automatically generated file; DO NOT EDIT. # Linux/x86_64 4.18.0-454.el8.x86_64 Kernel Configuration ... # CONFIG_V4L_TEST_DRIVERS is not set So I believe that RHEL8 is not affected, at least in so far as vivid is involved. RHEL-9: ------- With 5.14 kernels, including the RHEL 9 5.14 sources, building vivid depends on CONFIG_MEDIA_TEST_SUPPORT and the latest RHEL-9 kernel config has: # Automatically generated file; DO NOT EDIT. # Linux/x86_64 5.14.0-251.el9.x86_64 Kernel Configuration ... # CONFIG_MEDIA_TEST_SUPPORT is not set So I believe that RHEL9 is not affected, at least in so far as vivid is involved. Fedora: ------- With the latest kernels, building vivid depends on CONFIG_MEDIA_TEST_SUPPORT and the latest Fedora kernel config has: # Automatically generated file; DO NOT EDIT. # Linux/x86_64 6.1.8-200.fc37.x86_64 Kernel Configuration ... # CONFIG_MEDIA_TEST_SUPPORT is not set I also checked kernel-debug-core-6.1.8-100 and that also does not have CONFIG_MEDIA_TEST_SUPPORT set. So I believe that Fedora is not affected, at least in so far as vivid is involved.
In reply to comment #5: > Some more info in this: > > RHEL-8: > ------- > With 4.18 kernels, including the RHEL 8 4.18 sources, building vivid depends > on CONFIG_V4L_TEST_DRIVERS and the latest RHEL-8 kernel config has: > > # Automatically generated file; DO NOT EDIT. > # Linux/x86_64 4.18.0-454.el8.x86_64 Kernel Configuration > ... > # CONFIG_V4L_TEST_DRIVERS is not set > > So I believe that RHEL8 is not affected, at least in so far as vivid is > involved. > > > RHEL-9: > ------- > With 5.14 kernels, including the RHEL 9 5.14 sources, building vivid depends > on CONFIG_MEDIA_TEST_SUPPORT and the latest RHEL-9 kernel config has: > > # Automatically generated file; DO NOT EDIT. > # Linux/x86_64 5.14.0-251.el9.x86_64 Kernel Configuration > ... > # CONFIG_MEDIA_TEST_SUPPORT is not set > > So I believe that RHEL9 is not affected, at least in so far as vivid is > involved. > > > Fedora: > ------- > With the latest kernels, building vivid depends on CONFIG_MEDIA_TEST_SUPPORT > and the latest Fedora kernel config has: > > # Automatically generated file; DO NOT EDIT. > # Linux/x86_64 6.1.8-200.fc37.x86_64 Kernel Configuration > ... > # CONFIG_MEDIA_TEST_SUPPORT is not set > > I also checked kernel-debug-core-6.1.8-100 and that also does not have > CONFIG_MEDIA_TEST_SUPPORT set. > > So I believe that Fedora is not affected, at least in so far as vivid is > involved. Then I'm changing rhel8 to "not affected" (because I tried to run reproducers with rhel8 and didn't crash). For rhel9 and Fedora keeping it, please close as NOTABUG if sure that not affected; I seen that "/dev/video0 /dev/video1" exists in rhel, so thought that need to check again if maybe affected in someway for rhel9 or Fedora (or if maybe can disable something in configuration for being sure that not affected, but if already disabled, then NOTABUG).
I have gotten confirmation from the upstream v4l2-core and vivid maintainer that all these issues indeed only impact vivid so I'm going to close the Fedora and RHEL-9 bugs as not-a-bug since we don't build the vivid driver at all. And FWIW these issues have all been fixed in the latest upstream vivid code.
(In reply to Hans de Goede from comment #7) > I have gotten confirmation from the upstream v4l2-core and vivid maintainer > that all these issues indeed only impact vivid so I'm going to close the > Fedora and RHEL-9 bugs as not-a-bug since we don't build the vivid driver at > all. > > And FWIW these issues have all been fixed in the latest upstream vivid code. Is there any additional information on it? It was marked as fixed in version 6.2-rc6 here, but there are no related chnges in v6.2-rc5..v6.2-rc6. Can you help here?
In reply to comment #9: > (In reply to Hans de Goede from comment #7) > > I have gotten confirmation from the upstream v4l2-core and vivid maintainer > > that all these issues indeed only impact vivid so I'm going to close the > > Fedora and RHEL-9 bugs as not-a-bug since we don't build the vivid driver at > > all. > > > > And FWIW these issues have all been fixed in the latest upstream vivid code. > > Is there any additional information on it? It was marked as fixed in version > 6.2-rc6 here, but there are no related chnges in v6.2-rc5..v6.2-rc6. Can you > help here? I updated "fixed" to nothing. Actually, it was "fix in future" based on publishing CVE instruction: " [VERSION]: Known affected or fixed in versions of the product/component. This information is often available on the flaw bug on the fixedin field or on the comment#0. ", so following this instruction the "Fixed in:" was set for next UpStream version in the future (maybe incorrectly, because actually this field "Fixed in:" means "which upstream versions contains the fix"). Taking in mind that not fixed yet, I clear "Fixed in:" to nothing, so do not mislead anymore. Try to contact directly hdegoede redhat com and ask what "And FWIW these issues have all been fixed in the latest upstream vivid code." actually means (because I know he has direct contact with maintainer of vivid code).
The "And FWIW these issues have all been fixed in the latest upstream vivid code." is the exact text which Hans Verkuil the upstream maintainer gave me. Note that Hans Verkuil is listed in the kernel's MAINTAINERS file as the vivid driver maintainer so anyone can simply find him and reach out to him. If you have any questions about this I suggest that you reach out to Hans Verkuil directly at Hans Verkuil <hverkuil>.