[patch -longterm] V4L/DVB: v4l2-ioctl: integer overflow in

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: linux-media@vger.kernel.org,
	Mauro Carvalho Chehab <mchehab@infradead.org>
Cc: kernel-janitors@vger.kernel.org, stable@vger.kernel.org
Subject: [patch -longterm] V4L/DVB: v4l2-ioctl: integer overflow in
Date: Thu, 15 Dec 2011 06:34:45 +0000	[thread overview]
Message-ID: <20111215063445.GA2424@elgon.mountain> (raw)

On a 32bit system the multiplication here could overflow.  p->count is
used in some of the V4L drivers.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This is a patch against the 2.6.32-longterm kernel.  In the stock
kernel, this code was totally rewritten and fixed in 2010 by d14e6d76ebf
"[media] v4l: Add multi-planar ioctl handling code".

Hopefully, someone can Ack this and we merge it into the stable tree.

diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c
index 265bfb5..7196303 100644
--- a/drivers/media/video/v4l2-ioctl.c
+++ b/drivers/media/video/v4l2-ioctl.c
@@ -414,6 +414,9 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg,
 		p->error_idx = p->count;
 		user_ptr = (void __user *)p->controls;
 		if (p->count) {
+			err = -EINVAL;
+			if (p->count > ULONG_MAX / sizeof(struct v4l2_ext_control))
+				goto out_ext_ctrl;
 			ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
 			/* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
 			mbuf = kmalloc(ctrls_size, GFP_KERNEL);
@@ -1912,6 +1915,9 @@ long video_ioctl2(struct file *file,
 		p->error_idx = p->count;
 		user_ptr = (void __user *)p->controls;
 		if (p->count) {
+			err = -EINVAL;
+			if (p->count > ULONG_MAX / sizeof(struct v4l2_ext_control))
+				goto out_ext_ctrl;
 			ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
 			/* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
 			mbuf = kmalloc(ctrls_size, GFP_KERNEL);

WARNING: multiple messages have this Message-ID (diff)

From: Dan Carpenter <dan.carpenter@oracle.com>
To: linux-media@vger.kernel.org,
	Mauro Carvalho Chehab <mchehab@infradead.org>
Cc: kernel-janitors@vger.kernel.org, stable@vger.kernel.org
Subject: [patch -longterm] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
Date: Thu, 15 Dec 2011 09:34:45 +0300	[thread overview]
Message-ID: <20111215063445.GA2424@elgon.mountain> (raw)

On a 32bit system the multiplication here could overflow.  p->count is
used in some of the V4L drivers.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This is a patch against the 2.6.32-longterm kernel.  In the stock
kernel, this code was totally rewritten and fixed in 2010 by d14e6d76ebf
"[media] v4l: Add multi-planar ioctl handling code".

Hopefully, someone can Ack this and we merge it into the stable tree.

diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c
index 265bfb5..7196303 100644
--- a/drivers/media/video/v4l2-ioctl.c
+++ b/drivers/media/video/v4l2-ioctl.c
@@ -414,6 +414,9 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg,
 		p->error_idx = p->count;
 		user_ptr = (void __user *)p->controls;
 		if (p->count) {
+			err = -EINVAL;
+			if (p->count > ULONG_MAX / sizeof(struct v4l2_ext_control))
+				goto out_ext_ctrl;
 			ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
 			/* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
 			mbuf = kmalloc(ctrls_size, GFP_KERNEL);
@@ -1912,6 +1915,9 @@ long video_ioctl2(struct file *file,
 		p->error_idx = p->count;
 		user_ptr = (void __user *)p->controls;
 		if (p->count) {
+			err = -EINVAL;
+			if (p->count > ULONG_MAX / sizeof(struct v4l2_ext_control))
+				goto out_ext_ctrl;
 			ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
 			/* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
 			mbuf = kmalloc(ctrls_size, GFP_KERNEL);

next             reply	other threads:[~2011-12-15  6:34 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-12-15  6:34 Dan Carpenter [this message]
2011-12-15  6:34 ` [patch -longterm] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy() Dan Carpenter
2011-12-15  9:21 ` Mauro Carvalho Chehab
2011-12-15  9:21   ` Mauro Carvalho Chehab
2011-12-15  9:33   ` Hans Verkuil
2011-12-15  9:33     ` Hans Verkuil
2011-12-15  9:50     ` Mauro Carvalho Chehab
2011-12-15  9:50       ` Mauro Carvalho Chehab
2012-01-03 20:55       ` [patch -longterm] V4L/DVB: v4l2-ioctl: integer overflow in Greg KH
2012-01-03 20:55         ` [patch -longterm] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy() Greg KH
2012-01-04 13:35         ` [patch -longterm] V4L/DVB: v4l2-ioctl: integer overflow in Dan Carpenter
2012-01-04 13:35           ` [patch -longterm] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy() Dan Carpenter
2012-01-05  6:27         ` [patch -next] V4L/DVB: v4l2-ioctl: integer overflow in Dan Carpenter
2012-01-05  6:27           ` [patch -next] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy() Dan Carpenter
2012-01-05  6:28         ` [patch -longterm v2] V4L/DVB: v4l2-ioctl: integer overflow in Dan Carpenter
2012-01-05  6:28           ` [patch -longterm v2] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy() Dan Carpenter
2012-01-05 16:43           ` [patch -longterm v2] V4L/DVB: v4l2-ioctl: integer overflow in Greg KH
2012-01-05 16:43             ` [patch -longterm v2] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy() Greg KH
2012-01-05 17:56             ` [patch -longterm v2] V4L/DVB: v4l2-ioctl: integer overflow in Dan Carpenter
2012-01-05 17:56               ` [patch -longterm v2] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy() Dan Carpenter

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:265bfb5 dfblob:7196303 dfblob:265bfb5 dfblob:7196303 )
 OR (
bs:"[patch -longterm] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20111215063445.GA2424@elgon.mountain \
    --to=dan.carpenter@oracle.com \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@infradead.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.