Debian Bug report logs -
#827340
linux: CVE-2010-5321 memory leak in videobuf on multiple calls to mmap()
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#827340; Package src:linux.
(Wed, 15 Jun 2016 06:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
New Bug report received and forwarded. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>.
(Wed, 15 Jun 2016 06:51:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: src:linux
Version: 3.2.78-1
Severity: minor
Tags: security
In 2010 an issue with the linux kernel implementation of v4l was
discovered and reported to RedHat as
<URL: https://bugzilla.redhat.com/show_bug.cgi?id=620629 >. It was
assigned a CVE last year in
<URL: http://www.openwall.com/lists/oss-security/2015/02/08/4 > and is
still unsolved as far as I can tell.
If I understand the issue correctly, a user with access to /dev/video
can cause the kernel to leak memory and eventually run out of memory by
doing repeated calls to mmap(). In other words, users with video group
membership can bring down the machine.
According to
<URL: https://security-tracker.debian.org/tracker/CVE-2010-5321 > the
issue is present in Wheezy and onwards. It is probably present in
earlier versions too. I picked the kernel version number used in wheezy
for this report.
I noticed this issue, as it is the oldest non-fixed CVE number reported
by debsecan on my laptop, and decided it was time to track its progress
in a bug report.
--
Happy hacking
Petter Reinholdtsen
Added tag(s) upstream.
Request was from Ben Hutchings <ben@decadent.org.uk>
to control@bugs.debian.org.
(Wed, 15 Jun 2016 11:21:13 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#827340; Package src:linux.
(Fri, 17 Jun 2016 22:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>.
(Fri, 17 Jun 2016 22:27:03 GMT) (full text, mbox, link).
Message #12 received at 827340@bugs.debian.org (full text, mbox, reply):
Control: found -1 4.6.2-1
[Petter Reinholdtsen]
> If I understand the issue correctly, a user with access to /dev/video
> can cause the kernel to leak memory and eventually run out of memory by
> doing repeated calls to mmap(). In other words, users with video group
> membership can bring down the machine.
I've tried to track down a way to reproduce the problem without any
luck so far. I asked on #v4l to see if anyone there could help and got
some more information:
<pere> hi. I'm trying to figure out if CVE-2010-5321 reported via
<URL: https://bugzilla.redhat.com/show_bug.cgi?id=620629 > still
exist in the linux kernel, and it links to
<URL: https://linuxtv.org/irc/v4l/index.php?date=2010-07-29 > for
more information. But that IRC log page is empty. Anyone here know
how to reproduce the problem or find the log from that day?
<pinchartl> pere: that's old
<pinchartl> the bug seems to affect videobuf only, not videobuf2
<pere> yeah. at it seem to be unsolved, but I have not been able to verify it.
<pinchartl> not all drivers have been converted to videobuf2
<pinchartl> but if the drivers you are interested in have been, then you
should be safe from that point of view
<pere> my focus is tracking CVEs in Debian, to know if the issue still
exist or not.
<pere> <URL: https://security-tracker.debian.org/tracker/CVE-2010-5321 >
show the kernel still vulnerable...
<pinchartl> I don't know I'm afraid
<pinchartl> (one more reason to get rid of videobuf)
<pere> how can I tell if a driver/device uses videobuf and not videobuf2?
I assume some specific hardware is needed to reproduce the problem.
<pinchartl> search for #include <media/videobuf-.*.h> in the sources
<pinchartl> there's 9 of them left if I count properly
<pinchartl> via-camera, fsl-viu, bttv, cx18, tm6000, zr364xx, cx231xx,
pxa_camera and omap_vout
<pinchartl> ah, and omap1_camera and timblogiw in staging
<pinchartl> so that's 11
<pere> hm, wonder if I have a PCI card supported by bttv...
<pinchartl> patches would be great :-)
<pere> I am sure it would, but lack the capacity too look into that. :)
<pere> pinchartl: is the description in that bug report enough for you to
know how to reproduce it? I've tried writing a test program, but only
got a v4l2 device and got EBUSY when calling mmap() several times there.
<pere> but I suspect my test program is flawed, as I did not really quite
understand the description.
<pere> the redhat bug report was very short, and I suspect the details are
in one of the referred bug reports, which are not available to the public. :(
According to this report the issue still exist in the kernel for a small
number of camera drivers, so I mark it as found in the unstable kernel too.
I notice this bug is tagged upstream. Is there a bug report upstream too?
I've been unable to find any.
--
Happy hacking
Petter Reinholdtsen
Marked as found in versions linux/4.6.2-1.
Request was from Petter Reinholdtsen <pere@hungry.com>
to 827340-submit@bugs.debian.org.
(Fri, 17 Jun 2016 22:27:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#827340; Package src:linux.
(Fri, 17 Jun 2016 23:12:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>.
(Fri, 17 Jun 2016 23:12:08 GMT) (full text, mbox, link).
Message #19 received at 827340@bugs.debian.org (full text, mbox, reply):
Control: forwarded -1 https://bugzilla.kernel.org/show_bug.cgi?id=120571
I got some more information on the #v4l IRC channel and decided to
report the issue upstream while I was at it.
<pinchartl> which driver are you using ?
<pere> I guess uvcvideo based on the lsmod output.
<pinchartl> uvcvideo uses videobuf2
<pinchartl> I quickly looked at the videobuf code and the bug seems to
still be present
<pere> easy to fix?
<pinchartl> that I can't tell without a deeper analysis of the code
<pinchartl> it would need to be fixed in four places, as there are four
memory allocator backends for videobuf
<pinchartl> moving drivers to videobuf2 would be much better
<pinchartl> especially the bttv driver
<pinchartl> and if Debian decides to disable the above 11 drivers by
default until they get fixed, I won't complain
<pinchartl> although users might
<pere> what is the upstream location for v4l bugs? I guess it should be
reported somewhere else than in redhat and debian?
<pere> perhaps it already is reported and I can't find it.
<pinchartl> there's a bugzilla instance on kernel.org
<pinchartl> https://bugzilla.kernel.org/
<pinchartl> bugs are usually reported on the linux-media mailing list
<pere> hm,
<URL:
http://www.gossamer-threads.com/lists/linux/kernel/852719?page=last >
seem related
<pere> reported upstream as
<URL: https://bugzilla.kernel.org/show_bug.cgi?id=120571 >
--
Happy hacking
Petter Reinholdtsen
Marked as found in versions linux/3.2.41-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 18 Jun 2016 04:30:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:33:05 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon