Bug#925936: release.debian.org: Would v4l-utils 1.16.5 match unblocking criteria?

To: 925936@bugs.debian.org
Subject: Bug#925936: release.debian.org: Would v4l-utils 1.16.5 match unblocking criteria?
From: Gregor Jasny <gjasny@googlemail.com>
Date: Sun, 14 Apr 2019 14:41:15 +0200
Message-id: <[🔎] b04ab7e6-4507-8d26-db68-20feb51cbb5e@googlemail.com>
Reply-to: Gregor Jasny <gjasny@googlemail.com>, 925936@bugs.debian.org
In-reply-to: <acf3c766-b630-6692-3a01-247bd1c52219@thykier.net>
References: <155380581829.16078.2608166261843486348.reportbug@sid.fritz.box> <acf3c766-b630-6692-3a01-247bd1c52219@thykier.net> <155380581829.16078.2608166261843486348.reportbug@sid.fritz.box>

Control: tags -1 - moreinfo

Hello,

A new patch turned up and I decided to only cherry-pick the three mostimportant patches from the stable-1.16 tree.


Debdiff is attached.

If you agree on the changes I will upload via unstable.

Thanks,
Gregor

diff -Nru v4l-utils-1.16.3/debian/changelog v4l-utils-1.16.3/debian/changelog
--- v4l-utils-1.16.3/debian/changelog	2018-12-15 19:34:33.000000000 +0100
+++ v4l-utils-1.16.3/debian/changelog	2019-04-14 14:30:26.000000000 +0200
@@ -1,3 +1,9 @@
+v4l-utils (1.16.3-2) unstable; urgency=medium
+
+  * Fix double-free and uninitailized memory issue. LP: #1819650
+
+ -- Gregor Jasny <gjasny@googlemail.com>  Sun, 14 Apr 2019 14:30:26 +0200
+
 v4l-utils (1.16.3-1) unstable; urgency=medium
 
   * Imported Upstream version 1.16.3
diff -Nru v4l-utils-1.16.3/debian/gbp.conf v4l-utils-1.16.3/debian/gbp.conf
--- v4l-utils-1.16.3/debian/gbp.conf	2018-10-06 13:53:55.000000000 +0200
+++ v4l-utils-1.16.3/debian/gbp.conf	2019-04-14 14:23:39.000000000 +0200
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = upstream
-debian-branch = master
+debian-branch = buster
 upstream-tag = upstream/%(version)s
 debian-tag = debian/%(version)s
 pristine-tar = True
diff -Nru v4l-utils-1.16.3/debian/patches/0003-dvbv5-tools-be-sure-to-zero-struct-arguments.patch v4l-utils-1.16.3/debian/patches/0003-dvbv5-tools-be-sure-to-zero-struct-arguments.patch
--- v4l-utils-1.16.3/debian/patches/0003-dvbv5-tools-be-sure-to-zero-struct-arguments.patch	1970-01-01 01:00:00.000000000 +0100
+++ v4l-utils-1.16.3/debian/patches/0003-dvbv5-tools-be-sure-to-zero-struct-arguments.patch	2019-04-14 14:28:27.000000000 +0200
@@ -0,0 +1,50 @@
+Subject: dvbv5-tools: be sure to zero struct arguments
+Author: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Origin: upstream, https://git.linuxtv.org/v4l-utils.git/commit/?h=stable-1.16&id=faef148b1b67bd17f8aaaa79fd71746532c86e90
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1819650
+
+From 23e5056b0487acdaa56e5569952b5a8f344cf49b Mon Sep 17 00:00:00 2001
+Date: Thu, 14 Mar 2019 19:23:38 -0300
+
+Let's not let the arguments struct with some random value.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+---
+ utils/dvb/dvb-format-convert.c | 2 +-
+ utils/dvb/dvbv5-scan.c         | 2 +-
+ utils/dvb/dvbv5-zap.c          | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/utils/dvb/dvb-format-convert.c
++++ b/utils/dvb/dvb-format-convert.c
+@@ -123,7 +123,7 @@
+ 
+ int main(int argc, char **argv)
+ {
+-	struct arguments args;
++	struct arguments args = {};
+ 	int idx = -1, missing = 0;
+ 	const struct argp argp = {
+ 		.options = options,
+--- a/utils/dvb/dvbv5-scan.c
++++ b/utils/dvb/dvbv5-scan.c
+@@ -450,7 +450,7 @@
+ 
+ int main(int argc, char **argv)
+ {
+-	struct arguments args;
++	struct arguments args = {};
+ 	int err, lnb = -1,idx = -1;
+ 	struct dvb_device *dvb;
+ 	struct dvb_dev_list *dvb_dev;
+--- a/utils/dvb/dvbv5-zap.c
++++ b/utils/dvb/dvbv5-zap.c
+@@ -1018,7 +1018,7 @@
+ 
+ int main(int argc, char **argv)
+ {
+-	struct arguments args;
++	struct arguments args = {};
+ 	char *homedir = getenv("HOME");
+ 	char *channel = NULL;
+ 	int lnb = -1, idx = -1;
diff -Nru v4l-utils-1.16.3/debian/patches/0005-libdvbv5-leaks-and-double-free-in-dvb_fe_open_fname.patch v4l-utils-1.16.3/debian/patches/0005-libdvbv5-leaks-and-double-free-in-dvb_fe_open_fname.patch
--- v4l-utils-1.16.3/debian/patches/0005-libdvbv5-leaks-and-double-free-in-dvb_fe_open_fname.patch	1970-01-01 01:00:00.000000000 +0100
+++ v4l-utils-1.16.3/debian/patches/0005-libdvbv5-leaks-and-double-free-in-dvb_fe_open_fname.patch	2019-04-14 14:28:25.000000000 +0200
@@ -0,0 +1,93 @@
+Subject: libdvbv5: leaks and double free in dvb_fe_open_fname()
+Author: Sean Young <sean@mess.org>
+Origin: upstream, https://git.linuxtv.org/v4l-utils.git/commit/?h=stable-1.16&id=c82608ca1595427c2bdbd4abb9aca9163e1df60a
+Bug-Ubuntu: https://bugs.launchpad.net/raspbian/+bug/1819650
+
+dvb_fe_open_fname() takes ownership of fname if the function succeeds, but
+also in two of the error paths (e.g. if the ioctl FE_GET_PROPERTY fails).
+
+Adjust dvb_fe_open_fname() so it copies fname rather than taking ownership
+(and passing that to params). This makes the code cleaner.
+
+Signed-off-by: Sean Young <sean@mess.org>
+---
+ lib/libdvbv5/dvb-dev-local.c |  2 +-
+ lib/libdvbv5/dvb-fe.c        | 18 ++++++++----------
+ 2 files changed, 9 insertions(+), 11 deletions(-)
+
+--- a/lib/libdvbv5/dvb-dev-local.c
++++ b/lib/libdvbv5/dvb-dev-local.c
+@@ -467,7 +467,7 @@
+ 			flags &= ~O_NONBLOCK;
+ 		}
+ 
+-		ret = dvb_fe_open_fname(parms, strdup(dev->path), flags);
++		ret = dvb_fe_open_fname(parms, dev->path, flags);
+ 		if (ret) {
+ 			free(open_dev);
+ 			return NULL;
+--- a/lib/libdvbv5/dvb-fe.c
++++ b/lib/libdvbv5/dvb-fe.c
+@@ -133,7 +133,6 @@
+ 					  int flags)
+ {
+ 	int ret;
+-	char *fname;
+ 	struct dvb_device *dvb;
+ 	struct dvb_dev_list *dvb_dev;
+ 	struct dvb_v5_fe_parms_priv *parms = NULL;
+@@ -153,7 +152,6 @@
+ 		dvb_dev_free(dvb);
+ 		return NULL;
+ 	}
+-	fname = strdup(dvb_dev->path);
+ 
+ 	if (!strcmp(dvb_dev->bus_addr, "platform:dvbloopback")) {
+ 		logfunc(LOG_WARNING, _("Detected dvbloopback"));
+@@ -161,14 +159,10 @@
+ 	}
+ 
+ 	dvb_dev_free(dvb);
+-	if (!fname) {
+-		logfunc(LOG_ERR, _("fname calloc: %s"), strerror(errno));
+-		return NULL;
+-	}
++
+ 	parms = calloc(sizeof(*parms), 1);
+ 	if (!parms) {
+ 		logfunc(LOG_ERR, _("parms calloc: %s"), strerror(errno));
+-		free(fname);
+ 		return NULL;
+ 	}
+ 	parms->p.verbose = verbose;
+@@ -183,7 +177,7 @@
+ 	if (use_legacy_call)
+ 		parms->p.legacy_fe = 1;
+ 
+-	ret = dvb_fe_open_fname(parms, fname, flags);
++	ret = dvb_fe_open_fname(parms, dvb_dev->path, flags);
+ 	if (ret < 0) {
+ 		free(parms);
+ 		return NULL;
+@@ -203,7 +197,6 @@
+ 	fd = open(fname, flags, 0);
+ 	if (fd == -1) {
+ 		dvb_logerr(_("%s while opening %s"), strerror(errno), fname);
+-		free(fname);
+ 		return -errno;
+ 	}
+ 
+@@ -226,7 +219,12 @@
+ 		}
+ 	}
+ 
+-	parms->fname = fname;
++	parms->fname = strdup(fname);
++	if (!parms->fname) {
++		dvb_logerr(_("fname calloc: %s"), strerror(errno));
++		return -errno;
++	}
++
+ 	parms->fd = fd;
+ 	parms->fe_flags = flags;
+ 	parms->dvb_prop[0].cmd = DTV_API_VERSION;
diff -Nru v4l-utils-1.16.3/debian/patches/0008-libdvbv5-fix-double-free-in-dvb_fe_open_fname.patch v4l-utils-1.16.3/debian/patches/0008-libdvbv5-fix-double-free-in-dvb_fe_open_fname.patch
--- v4l-utils-1.16.3/debian/patches/0008-libdvbv5-fix-double-free-in-dvb_fe_open_fname.patch	1970-01-01 01:00:00.000000000 +0100
+++ v4l-utils-1.16.3/debian/patches/0008-libdvbv5-fix-double-free-in-dvb_fe_open_fname.patch	2019-04-14 14:28:20.000000000 +0200
@@ -0,0 +1,59 @@
+Subject: libdvbv5: fix double free in dvb_fe_open_fname
+Author: Andre Roth <neolynx@gmail.com>
+Origin: upstream, https://git.linuxtv.org/v4l-utils.git/commit/?h=stable-1.16&id=78057aaa784a922b4ac6af9f323b828f7a834581
+Bug-Ubuntu: https://bugs.launchpad.net/raspbian/+bug/1819650
+
+Since parms and fname is allocated outside of the function, do not free it.
+Use dvb_v5_free for freeing parms, it will free fname if required.
+
+Signed-off-by: Andre Roth <neolynx@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+---
+ lib/libdvbv5/dvb-fe.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/lib/libdvbv5/dvb-fe.c
++++ b/lib/libdvbv5/dvb-fe.c
+@@ -179,7 +179,7 @@
+ 
+ 	ret = dvb_fe_open_fname(parms, dvb_dev->path, flags);
+ 	if (ret < 0) {
+-		free(parms);
++		dvb_v5_free(parms);
+ 		return NULL;
+ 	}
+ 
+@@ -202,9 +202,7 @@
+ 
+ 	if (xioctl(fd, FE_GET_INFO, &parms->p.info) == -1) {
+ 		dvb_perror("FE_GET_INFO");
+-		dvb_v5_free(parms);
+ 		close(fd);
+-		free(fname);
+ 		return -errno;
+ 	}
+ 
+@@ -291,7 +289,6 @@
+ 		}
+ 		if (!parms->p.num_systems) {
+ 			dvb_logerr(_("delivery system not detected"));
+-			dvb_v5_free(parms);
+ 			close(fd);
+ 			return -EINVAL;
+ 		}
+@@ -302,7 +299,6 @@
+ 		dtv_prop.props = parms->dvb_prop;
+ 		if (xioctl(fd, FE_GET_PROPERTY, &dtv_prop) == -1) {
+ 			dvb_perror("FE_GET_PROPERTY");
+-			dvb_v5_free(parms);
+ 			close(fd);
+ 			return -errno;
+ 		}
+@@ -312,7 +308,6 @@
+ 
+ 		if (parms->p.num_systems == 0) {
+ 			dvb_logerr(_("driver returned 0 supported delivery systems!"));
+-			dvb_v5_free(parms);
+ 			close(fd);
+ 			return -EINVAL;
+ 		}
diff -Nru v4l-utils-1.16.3/debian/patches/series v4l-utils-1.16.3/debian/patches/series
--- v4l-utils-1.16.3/debian/patches/series	2018-12-15 19:34:33.000000000 +0100
+++ v4l-utils-1.16.3/debian/patches/series	2019-04-14 14:24:59.000000000 +0200
@@ -1 +1,4 @@
 dont-gererate-treeview.diff
+0003-dvbv5-tools-be-sure-to-zero-struct-arguments.patch
+0005-libdvbv5-leaks-and-double-free-in-dvb_fe_open_fname.patch
+0008-libdvbv5-fix-double-free-in-dvb_fe_open_fname.patch

Reply to:

Follow-Ups:
- Bug#925936: release.debian.org: Would v4l-utils 1.16.5 match unblocking criteria?
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Processed: Re: Bug#925936: release.debian.org: Would v4l-utils 1.16.5 match unblocking criteria?
Next by Date: Processed: tagging 926907
Previous by thread: Processed: retitle 926383
Next by thread: Processed: Re: Bug#925936: release.debian.org: Would v4l-utils 1.16.5 match unblocking criteria?
Index(es):
- Date
- Thread