From: <yjjuny.lee@samsung.com>
To: "'Laurent Pinchart'" <laurent.pinchart@ideasonboard.com>,
"'Ricardo Ribalda'" <ribalda@chromium.org>
Cc: <hdegoede@redhat.com>, <mchehab@kernel.org>,
<linux-media@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: RE: [PATCH] usb: uvc: Fix 1-byte out-of-bounds read in uvc_parse_format()
Date: Wed, 11 Jun 2025 10:33:27 +0900 [thread overview]
Message-ID: <01b501dbda70$d47d5ee0$7d781ca0$@samsung.com> (raw)
In-Reply-To: <20250610213058.GG24465@pendragon.ideasonboard.com>
The buffer length check before calling uvc_parse_format() only ensured
that the buffer has at least 3 bytes (buflen > 2), buf the function
accesses buffer[3], requiring at least 4 bytes.
This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.
Fix it by checking that the buffer has at least 4 bytes in
uvc_parse_format().
Signed-off-by: Youngjun Lee <yjjuny.lee@samsung.com>
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---
drivers/media/usb/uvc/uvc_driver.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
index da24a655ab68..1100469a83a2 100644
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -344,6 +344,9 @@ static int uvc_parse_format(struct uvc_device *dev,
u8 ftype;
int ret;
+ if (buflen < 4)
+ return -EINVAL;
+
format->type = buffer[2];
format->index = buffer[3];
format->frames = frames;
--
2.43.0
> On Tue, Jun 10, 2025 at 02:58:25PM +0200, Ricardo Ribalda wrote:
> > Hi Youngjun
> >
> > You still miss the v2 (v3 in this case). and the trailers.
> >
> > In the future you can use the b4 tool to take care of most of the details.
> > https://b4.docs.kernel.org/en/latest/contributor/overview.html
> > It has "dry-run" option that let you review the mails before you send
> > them to the mailing list
> >
> > Please do not resubmit a new patch to fix this, only send a new patch
> > to fix more comments for other people.
> >
> > Regards!
> >
> > On Tue, 10 Jun 2025 at 14:41, Youngjun Lee <yjjuny.lee@samsung.com> wrote:
> > >
> > > The buffer length check before calling uvc_parse_format() only
> > > ensured that the buffer has at least 3 bytes (buflen > 2), buf the
> > > function accesses buffer[3], requiring at least 4 bytes.
> > >
> > > This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.
> > >
> > > Fix it by checking that the buffer has at least 4 bytes in
> > > uvc_parse_format().
> >
> > Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
> > Cc: stable@vger.kernel.org
> > Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
>
> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
>
> > > Signed-off-by: Youngjun Lee <yjjuny.lee@samsung.com>
> > > ---
> > > drivers/media/usb/uvc/uvc_driver.c | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/drivers/media/usb/uvc/uvc_driver.c
> > > b/drivers/media/usb/uvc/uvc_driver.c
> > > index da24a655ab68..1100469a83a2 100644
> > > --- a/drivers/media/usb/uvc/uvc_driver.c
> > > +++ b/drivers/media/usb/uvc/uvc_driver.c
> > > @@ -344,6 +344,9 @@ static int uvc_parse_format(struct uvc_device *dev,
> > > u8 ftype;
> > > int ret;
> > >
> > > + if (buflen < 4)
> > > + return -EINVAL;
> > > +
> > > format->type = buffer[2];
> > > format->index = buffer[3];
> > > format->frames = frames;
--
Thanks & Regards,
Youngjun Lee
next prev parent reply other threads:[~2025-06-11 1:33 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20250610124111epcas1p18fe9fd8ab47a424c2143d4e2912a8179@epcas1p1.samsung.com>
2025-06-10 12:41 ` [PATCH] usb: uvc: Fix 1-byte out-of-bounds read in uvc_parse_format() Youngjun Lee
2025-06-10 12:58 ` Ricardo Ribalda
2025-06-10 21:30 ` Laurent Pinchart
2025-06-11 1:25 ` [PATCH v3] media: uvcvideo: " Youngjun Lee
2025-06-11 1:33 ` yjjuny.lee [this message]
[not found] <CGME20250610113726epcas1p449116bfeef2a102c90e9519a632eb0b9@epcas1p4.samsung.com>
2025-06-10 11:37 ` [PATCH] usb: uvc: " Youngjun Lee
2025-06-10 11:56 ` Ricardo Ribalda
2025-06-10 12:33 ` yjjuny.lee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='01b501dbda70$d47d5ee0$7d781ca0$@samsung.com' \
--to=yjjuny.lee@samsung.com \
--cc=hdegoede@redhat.com \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=ribalda@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.