From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hans de Goede <hdegoede@redhat.com>,
Johan Hovold <johan@kernel.org>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>,
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Subject: [PATCH 5.6 22/23] media: xirlink_cit: add missing descriptor sanity checks
Date: Tue, 31 Mar 2020 10:59:34 +0200 [thread overview]
Message-ID: <20200331085317.512897637@linuxfoundation.org> (raw)
In-Reply-To: <20200331085308.098696461@linuxfoundation.org>
From: Johan Hovold <johan@kernel.org>
commit a246b4d547708f33ff4d4b9a7a5dbac741dc89d8 upstream.
Make sure to check that we have two alternate settings and at least one
endpoint before accessing the second altsetting structure and
dereferencing the endpoint arrays.
This specifically avoids dereferencing NULL-pointers or corrupting
memory when a device does not have the expected descriptors.
Note that the sanity check in cit_get_packet_size() is not redundant as
the driver is mixing looking up altsettings by index and by number,
which may not coincide.
Fixes: 659fefa0eb17 ("V4L/DVB: gspca_xirlink_cit: Add support for camera with a bcd version of 0.01")
Fixes: 59f8b0bf3c12 ("V4L/DVB: gspca_xirlink_cit: support bandwidth changing for devices with 1 alt setting")
Cc: stable <stable@vger.kernel.org> # 2.6.37
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/gspca/xirlink_cit.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--- a/drivers/media/usb/gspca/xirlink_cit.c
+++ b/drivers/media/usb/gspca/xirlink_cit.c
@@ -1442,6 +1442,9 @@ static int cit_get_packet_size(struct gs
return -EIO;
}
+ if (alt->desc.bNumEndpoints < 1)
+ return -ENODEV;
+
return le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
}
@@ -2626,6 +2629,7 @@ static int sd_start(struct gspca_dev *gs
static int sd_isoc_init(struct gspca_dev *gspca_dev)
{
+ struct usb_interface_cache *intfc;
struct usb_host_interface *alt;
int max_packet_size;
@@ -2641,8 +2645,17 @@ static int sd_isoc_init(struct gspca_dev
break;
}
+ intfc = gspca_dev->dev->actconfig->intf_cache[0];
+
+ if (intfc->num_altsetting < 2)
+ return -ENODEV;
+
+ alt = &intfc->altsetting[1];
+
+ if (alt->desc.bNumEndpoints < 1)
+ return -ENODEV;
+
/* Start isoc bandwidth "negotiation" at max isoc bandwidth */
- alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
alt->endpoint[0].desc.wMaxPacketSize = cpu_to_le16(max_packet_size);
return 0;
@@ -2665,6 +2678,9 @@ static int sd_isoc_nego(struct gspca_dev
break;
}
+ /*
+ * Existence of altsetting and endpoint was verified in sd_isoc_init()
+ */
alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
if (packet_size <= min_packet_size)
next prev parent reply other threads:[~2020-03-31 9:01 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-31 8:59 [PATCH 5.6 00/23] 5.6.1-rc1 review Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 01/23] bpf: Undo incorrect __reg_bound_offset32 handling Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 02/23] USB: serial: option: add support for ASKEY WWHC050 Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 03/23] USB: serial: option: add BroadMobi BM806U Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 04/23] USB: serial: option: add Wistron Neweb D19Q1 Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 05/23] USB: cdc-acm: restore capability check order Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 06/23] USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 07/23] usb: musb: fix crash with highmen PIO and usbmon Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 08/23] media: flexcop-usb: fix endpoint sanity check Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 09/23] media: usbtv: fix control-message timeouts Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 10/23] staging: kpc2000: prevent underflow in cpld_reconfigure() Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 11/23] staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 12/23] staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 13/23] staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 14/23] staging: wfx: add proper "compatible" string Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 15/23] staging: wfx: fix init/remove vs IRQ race Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 16/23] staging: wfx: annotate nested gc_list vs tx queue locking Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 17/23] ahci: Add Intel Comet Lake H RAID PCI ID Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 18/23] libfs: fix infoleak in simple_attr_read() Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 19/23] media: ov519: add missing endpoint sanity checks Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 20/23] media: dib0700: fix rc endpoint lookup Greg Kroah-Hartman
2020-03-31 8:59 ` [PATCH 5.6 21/23] media: stv06xx: add missing descriptor sanity checks Greg Kroah-Hartman
2020-03-31 8:59 ` Greg Kroah-Hartman [this message]
2020-03-31 8:59 ` [PATCH 5.6 23/23] media: v4l2-core: fix a use-after-free bug of sd->devnode Greg Kroah-Hartman
2020-03-31 18:07 ` [PATCH 5.6 00/23] 5.6.1-rc1 review Naresh Kamboju
2020-03-31 18:20 ` Linus Torvalds
2020-03-31 19:29 ` Arnaldo Carvalho de Melo
2020-03-31 23:18 ` Daniel Díaz
2020-04-01 12:40 ` Arnaldo Carvalho de Melo
2020-04-01 13:45 ` Daniel Díaz
2020-04-01 14:34 ` Arnaldo Carvalho de Melo
2020-04-01 15:07 ` Daniel Díaz
2020-04-04 8:41 ` [tip: perf/urgent] perf python: Fix clang detection to strip out options passed in $CC tip-bot2 for Arnaldo Carvalho de Melo
2020-03-31 19:32 ` [PATCH 5.6 00/23] 5.6.1-rc1 review shuah
2020-04-01 8:19 ` Greg Kroah-Hartman
2020-03-31 20:02 ` Vitor Massaru Iha
2020-03-31 20:02 ` [Linux-kernel-mentees] " Vitor Massaru Iha
2020-04-01 2:25 ` Guenter Roeck
2020-04-01 8:20 ` Greg Kroah-Hartman
2020-04-01 3:06 ` Woody Suwalski
2020-04-01 5:51 ` Greg Kroah-Hartman
2020-04-01 5:53 ` Greg Kroah-Hartman
2020-04-01 11:06 ` Woody Suwalski
2020-04-01 11:18 ` Greg Kroah-Hartman
2020-04-01 15:40 ` shuah
2020-04-01 16:10 ` Greg Kroah-Hartman
2020-04-01 8:57 ` Jon Hunter
2020-04-01 8:57 ` Jon Hunter
[not found] ` <d0744ad0-40b4-3bea-4d4f-1faf562126ec-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
2020-04-01 9:33 ` Greg Kroah-Hartman
2020-04-01 9:33 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200331085317.512897637@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hdegoede@redhat.com \
--cc=hverkuil-cisco@xs4all.nl \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.