[PATCH 6.1 12/25] usb: gadget: uvc: Prevent buffer overflow in setup handler

public inbox for patches@lists.linux.dev
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, stable <stable@kernel.org>,
	Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
	Daniel Scally <dan.scally@ideasonboard.com>,
	Szymon Heidrich <szymon.heidrich@gmail.com>
Subject: [PATCH 6.1 12/25] usb: gadget: uvc: Prevent buffer overflow in setup handler
Date: Mon, 19 Dec 2022 20:22:51 +0100	[thread overview]
Message-ID: <20221219182943.912391400@linuxfoundation.org> (raw)
In-Reply-To: <20221219182943.395169070@linuxfoundation.org>

From: Szymon Heidrich <szymon.heidrich@gmail.com>

commit 4c92670b16727365699fe4b19ed32013bab2c107 upstream.

Setup function uvc_function_setup permits control transfer
requests with up to 64 bytes of payload (UVC_MAX_REQUEST_SIZE),
data stage handler for OUT transfer uses memcpy to copy req->actual
bytes to uvc_event->data.data array of size 60. This may result
in an overflow of 4 bytes.

Fixes: cdda479f15cd ("USB gadget: video class function driver")
Cc: stable <stable@kernel.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Link: https://lore.kernel.org/r/20221206141301.51305-1-szymon.heidrich@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/function/f_uvc.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -216,8 +216,9 @@ uvc_function_ep0_complete(struct usb_ep
 
 		memset(&v4l2_event, 0, sizeof(v4l2_event));
 		v4l2_event.type = UVC_EVENT_DATA;
-		uvc_event->data.length = req->actual;
-		memcpy(&uvc_event->data.data, req->buf, req->actual);
+		uvc_event->data.length = min_t(unsigned int, req->actual,
+			sizeof(uvc_event->data.data));
+		memcpy(&uvc_event->data.data, req->buf, uvc_event->data.length);
 		v4l2_event_queue(&uvc->vdev, &v4l2_event);
 	}
 }

next prev parent reply	other threads:[~2022-12-19 19:24 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-19 19:22 [PATCH 6.1 00/25] 6.1.1-rc1 review Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 01/25] x86/vdso: Conditionally export __vdso_sgx_enter_enclave() Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 02/25] libbpf: Fix uninitialized warning in btf_dump_dump_type_data Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 03/25] PCI: mt7621: Add sentinel to quirks table Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 04/25] mips: ralink: mt7621: define MT7621_SYSC_BASE with __iomem Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 05/25] mips: ralink: mt7621: soc queries and tests as functions Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 06/25] mips: ralink: mt7621: do not use kzalloc too early Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 07/25] irqchip/ls-extirq: Fix endianness detection Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 08/25] udf: Discard preallocation before extending file with a hole Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 09/25] udf: Fix preallocation discarding at indirect extent boundary Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 10/25] udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 11/25] udf: Fix extending file within last block Greg Kroah-Hartman
2022-12-19 19:22 ` Greg Kroah-Hartman [this message]
2022-12-19 19:22 ` [PATCH 6.1 13/25] USB: serial: option: add Quectel EM05-G modem Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 14/25] USB: serial: cp210x: add Kamstrup RF sniffer PIDs Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 15/25] USB: serial: f81232: fix division by zero on line-speed change Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 16/25] USB: serial: f81534: " Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 17/25] ALSA: hda/realtek: fix mute/micmute LEDs for a HP ProBook Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 18/25] xhci: Apply XHCI_RESET_TO_DEFAULT quirk to ADL-N Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 19/25] staging: r8188eu: fix led register settings Greg Kroah-Hartman
2022-12-19 19:22 ` [PATCH 6.1 20/25] igb: Initialize mailbox message for VF reset Greg Kroah-Hartman
2022-12-19 19:23 ` [PATCH 6.1 21/25] usb: typec: ucsi: Resume in separate work Greg Kroah-Hartman
2022-12-19 19:23 ` [PATCH 6.1 22/25] usb: dwc3: pci: Update PCIe device ID for USB3 controller on CPU sub-system for Raptor Lake Greg Kroah-Hartman
2022-12-19 19:23 ` [PATCH 6.1 23/25] cifs: fix oops during encryption Greg Kroah-Hartman
2022-12-19 19:23 ` [PATCH 6.1 24/25] KEYS: encrypted: fix key instantiation with user-provided data Greg Kroah-Hartman
2022-12-19 19:23 ` [PATCH 6.1 25/25] usb: ulpi: defer ulpi_register on ulpi_read_id timeout Greg Kroah-Hartman
2022-12-20  0:15 ` [PATCH 6.1 00/25] 6.1.1-rc1 review Shuah Khan
2022-12-20  0:21 ` Florian Fainelli
2022-12-20  4:45 ` Bagas Sanjaya
2022-12-20  7:41 ` Ron Economos
2022-12-20  9:20 ` Rudi Heitbaum
2022-12-20 10:51 ` Naresh Kamboju
2022-12-20 12:26 ` Sudip Mukherjee (Codethink)
2022-12-20 14:31   ` Sudip Mukherjee
2022-12-21 18:19     ` Greg Kroah-Hartman
2022-12-20 15:00 ` Guenter Roeck
2022-12-20 15:10   ` Greg Kroah-Hartman
2022-12-20 16:11     ` Guenter Roeck
2022-12-21  6:34       ` Jiri Slaby
2022-12-21 18:20         ` Greg Kroah-Hartman
2022-12-22  8:07         ` Thorsten Leemhuis
2022-12-21 16:12       ` Greg Kroah-Hartman
2022-12-20 18:09 ` Jon Hunter
2022-12-20 18:57 ` Allen Pais
2022-12-21  1:13 ` Slade Watkins
2022-12-21 16:18 ` Justin Forbes
2022-12-29  7:36 ` Thierry Reding

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221219182943.912391400@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=dan.scally@ideasonboard.com \
    --cc=laurent.pinchart@ideasonboard.com \
    --cc=patches@lists.linux.dev \
    --cc=stable@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=szymon.heidrich@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox