From: Mauro Carvalho Chehab <mchehab@infradead.org>
To: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: Haogang Chen <haogangchen@gmail.com>,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Media: video: uvc: integer overflow in uvc_ioctl_ctrl_map()
Date: Sun, 11 Dec 2011 08:22:29 -0200 [thread overview]
Message-ID: <4EE48465.9060706@infradead.org> (raw)
In-Reply-To: <201111300222.42162.laurent.pinchart@ideasonboard.com>
On 29-11-2011 23:22, Laurent Pinchart wrote:
> Hi Haogang,
>
> On Tuesday 29 November 2011 22:32:25 Haogang Chen wrote:
>> There is a potential integer overflow in uvc_ioctl_ctrl_map(). When a
>> large xmap->menu_count is passed from the userspace, the subsequent call
>> to kmalloc() will allocate a buffer smaller than expected.
>> map->menu_count and map->menu_info would later be used in a loop (e.g.
>> in uvc_query_v4l2_ctrl), which leads to out-of-bound access.
>>
>> The patch checks the ioctl argument and returns -EINVAL for zero or too
>> large values in xmap->menu_count.
>
> Thanks for the patch.
I'm assuming that either one of you will re-send the patches with the
pointed changes, so, I'm marking this one with "changes requested" at
patchwork.
>
>> Signed-off-by: Haogang Chen<haogangchen@gmail.com>
>> ---
>> drivers/media/video/uvc/uvc_v4l2.c | 6 ++++++
>> 1 files changed, 6 insertions(+), 0 deletions(-)
>>
>> diff --git a/drivers/media/video/uvc/uvc_v4l2.c
>> b/drivers/media/video/uvc/uvc_v4l2.c index dadf11f..9a180d6 100644
>> --- a/drivers/media/video/uvc/uvc_v4l2.c
>> +++ b/drivers/media/video/uvc/uvc_v4l2.c
>> @@ -58,6 +58,12 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain
>> *chain, break;
>>
>> case V4L2_CTRL_TYPE_MENU:
>> + if (xmap->menu_count == 0 ||
>> + xmap->menu_count> INT_MAX / sizeof(*map->menu_info)) {
>
> I'd like to prevent excessive memory consumption by limiting the number of
> menu entries, similarly to how the driver limits the number of mappings.
> Defining UVC_MAX_CONTROL_MENU_ENTRIES to 32 in uvcvideo.h should be a
> reasonable value.
>
>> + kfree(map);
>> + return -EINVAL;
>
> I'd rather do
>
> ret = -EINVAL;
> goto done;
>
> to centralize error handling.
>
> If you're fine with both changes I can modify the patch, there's no need to
> resubmit.
>
>> + }
>> +
>> size = xmap->menu_count * sizeof(*map->menu_info);
>> map->menu_info = kmalloc(size, GFP_KERNEL);
>> if (map->menu_info == NULL) {
>
next prev parent reply other threads:[~2011-12-11 10:22 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-29 21:32 [PATCH] Media: video: uvc: integer overflow in uvc_ioctl_ctrl_map() Haogang Chen
2011-11-30 1:22 ` Laurent Pinchart
2011-11-30 2:28 ` Haogang Chen
2011-11-30 9:14 ` Laurent Pinchart
2011-12-11 10:22 ` Mauro Carvalho Chehab [this message]
2011-12-11 10:31 ` Laurent Pinchart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EE48465.9060706@infradead.org \
--to=mchehab@infradead.org \
--cc=haogangchen@gmail.com \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.