From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: Hans Verkuil <hans.verkuil@cisco.com>
Cc: linux-media@vger.kernel.org, Guenter Roeck <linux@roeck-us.net>
Subject: [PATCH 2/5] uvcvideo: Prevent heap overflow when accessing mapped controls
Date: Tue, 8 Aug 2017 15:56:21 +0300 [thread overview]
Message-ID: <20170808125624.11328-3-laurent.pinchart@ideasonboard.com> (raw)
In-Reply-To: <20170808125624.11328-1-laurent.pinchart@ideasonboard.com>
From: Guenter Roeck <linux@roeck-us.net>
The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.
Cc: stable@vger.kernel.org
Originally-from: Richard Simmons <rssimmo@amazon.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---
drivers/media/usb/uvc/uvc_ctrl.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
index c2ee6e39fd0c..20397aba6849 100644
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -2002,6 +2002,13 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain,
goto done;
}
+ /* Validate the user-provided bit-size and offset */
+ if (mapping->size > 32 ||
+ mapping->offset + mapping->size > ctrl->info.size * 8) {
+ ret = -EINVAL;
+ goto done;
+ }
+
list_for_each_entry(map, &ctrl->info.mappings, list) {
if (mapping->id == map->id) {
uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', "
--
Regards,
Laurent Pinchart
next prev parent reply other threads:[~2017-08-08 12:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-08 12:56 [PATCH 0/5] UVC patches for v4.14 Laurent Pinchart
2017-08-08 12:56 ` [PATCH 1/5] uvcvideo: Fix incorrect timeout for Get Request Laurent Pinchart
2017-08-08 12:56 ` Laurent Pinchart [this message]
2017-08-08 12:56 ` [PATCH 3/5] uvcvideo: Fix .queue_setup() to check the number of planes Laurent Pinchart
2017-08-08 12:56 ` [PATCH 4/5] uvcvideo: Convert from using an atomic variable to a reference count Laurent Pinchart
2017-08-08 12:56 ` [PATCH 5/5] uvcvideo: Constify video_subdev structures Laurent Pinchart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170808125624.11328-3-laurent.pinchart@ideasonboard.com \
--to=laurent.pinchart@ideasonboard.com \
--cc=hans.verkuil@cisco.com \
--cc=linux-media@vger.kernel.org \
--cc=linux@roeck-us.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.