[PATCH v2] [media] uvcvideo: Prevent heap overflow in uvc driver

public inbox for linux-media@vger.kernel.org
 help / color / mirror / Atom feed

From: Guenter Roeck <linux@roeck-us.net>
To: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: Richard Simmons <rssimmo@amazon.com>,
	Mauro Carvalho Chehab <mchehab@kernel.org>,
	linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
	Robb Glasser <rglasser@google.com>,
	Guenter Roeck <linux@roeck-us.net>
Subject: [PATCH v2] [media] uvcvideo: Prevent heap overflow in uvc driver
Date: Fri, 30 Jun 2017 09:21:56 -0700	[thread overview]
Message-ID: <1498839716-31918-1-git-send-email-linux@roeck-us.net> (raw)

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

Originally-from: Richard Simmons <rssimmo@amazon.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
---
Fixes CVE-2017-0627.

v2: Combination of v1 with the fix suggested by Richard Simmons
    Perform validation after uvc_ctrl_fill_xu_info()
    Take into account that ctrl->info.size is in bytes
    Also validate mapping->size

 drivers/media/usb/uvc/uvc_ctrl.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
index c2ee6e39fd0c..d3e3164f43fd 100644
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -2002,6 +2002,13 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain,
 		goto done;
 	}
 
+	/* validate that the user provided bit-size and offset is valid */
+	if (mapping->size > 32 ||
+	    mapping->offset + mapping->size > ctrl->info.size * 8) {
+		ret = -EINVAL;
+		goto done;
+	}
+
 	list_for_each_entry(map, &ctrl->info.mappings, list) {
 		if (mapping->id == map->id) {
 			uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', "
-- 
2.7.4

next             reply	other threads:[~2017-06-30 16:22 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-30 16:21 Guenter Roeck [this message]
2017-07-06 18:39 ` [PATCH v2] [media] uvcvideo: Prevent heap overflow in uvc driver Guenter Roeck
2017-07-11 16:47 ` Guenter Roeck
2017-07-12  0:58 ` Laurent Pinchart

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c2ee6e39fd0 dfblob:d3e3164f43f )
 OR (
bs:"[PATCH v2] [media] uvcvideo: Prevent heap overflow in uvc driver" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1498839716-31918-1-git-send-email-linux@roeck-us.net \
    --to=linux@roeck-us.net \
    --cc=laurent.pinchart@ideasonboard.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=rglasser@google.com \
    --cc=rssimmo@amazon.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox