Re: [PATCH] isight_firmware: Avoid crash on loading invalid firmware

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Matthew Garrett <mjg59@srcf.ucam.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: greg@kroah.com, justinmattock@gmail.com,
	linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
Subject: Re: [PATCH] isight_firmware: Avoid crash on loading invalid firmware
Date: Fri, 6 Jun 2008 20:48:56 +0100	[thread overview]
Message-ID: <20080606194856.GA17708@srcf.ucam.org> (raw)
In-Reply-To: <20080606123511.38ffbdde.akpm@linux-foundation.org>

Different tools generate slightly different formats of the isight 
firmware. Ensure that the firmware buffer is not overrun, while still 
ensuring that the correct amount of data is written if trailing data is 
preseent. Fixes crash reported by Justin Mattock.

Signed-off-by: Matthew Garrett <mjg@redhat.com>

---

Identical to the previous patch, just acknowledges Justin Mattock's (not 
Maddock, Andrew :p) report in the changelog.

diff --git a/drivers/usb/misc/isight_firmware.c b/drivers/usb/misc/isight_firmware.c
index 390e048..9f30aa1 100644
--- a/drivers/usb/misc/isight_firmware.c
+++ b/drivers/usb/misc/isight_firmware.c
@@ -39,9 +39,12 @@ static int isight_firmware_load(struct usb_interface *intf,
 	struct usb_device *dev = interface_to_usbdev(intf);
 	int llen, len, req, ret = 0;
 	const struct firmware *firmware;
-	unsigned char *buf;
+	unsigned char *buf = kmalloc(50, GFP_KERNEL);
 	unsigned char data[4];
-	char *ptr;
+	u8 *ptr;
+
+	if (!buf)
+		return -ENOMEM;
 
 	if (request_firmware(&firmware, "isight.fw", &dev->dev) != 0) {
 		printk(KERN_ERR "Unable to load isight firmware\n");
@@ -59,7 +62,7 @@ static int isight_firmware_load(struct usb_interface *intf,
 		goto out;
 	}
 
-	while (1) {
+	while (ptr+4 <= firmware->data+firmware->size) {
 		memcpy(data, ptr, 4);
 		len = (data[0] << 8 | data[1]);
 		req = (data[2] << 8 | data[3]);
@@ -71,10 +74,14 @@ static int isight_firmware_load(struct usb_interface *intf,
 			continue;
 
 		for (; len > 0; req += 50) {
-			llen = len > 50 ? 50 : len;
+			llen = min(len, 50);
 			len -= llen;
-
-			buf = kmalloc(llen, GFP_KERNEL);
+			if (ptr+llen > firmware->data+firmware->size) {
+				printk(KERN_ERR
+				       "Malformed isight firmware");
+				ret = -ENODEV;
+				goto out;
+			}
 			memcpy(buf, ptr, llen);
 
 			ptr += llen;
@@ -89,16 +96,18 @@ static int isight_firmware_load(struct usb_interface *intf,
 				goto out;
 			}
 
-			kfree(buf);
 		}
 	}
+
 	if (usb_control_msg
 	    (dev, usb_sndctrlpipe(dev, 0), 0xa0, 0x40, 0xe600, 0, "\0", 1,
 	     300) != 1) {
 		printk(KERN_ERR "isight firmware loading completion failed\n");
 		ret = -ENODEV;
 	}
+
 out:
+	kfree(buf);
 	release_firmware(firmware);
 	return ret;
 }

-- 
Matthew Garrett | mjg59@srcf.ucam.org

next prev parent reply	other threads:[~2008-06-06 19:49 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-06-04 19:13 [ 88.628451] BUG: unable to handle kernel paging request at f8dbf000 "isight_firmware" Justin Mattock
2008-06-06  7:26 ` Andrew Morton
2008-06-06  8:37   ` Justin Mattock
2008-06-06 12:11     ` Matthew Garrett
2008-06-06 14:24       ` Justin Mattock
2008-06-06 18:07       ` Andrew Morton
2008-06-06 18:10         ` Justin Mattock
2008-06-06 18:38           ` Justin Mattock
2008-06-06 18:55             ` Greg KH
2008-06-06 19:21               ` [PATCH] isight_firmware: Avoid crash on loading invalid firmware Matthew Garrett
2008-06-06 19:35                 ` Andrew Morton
2008-06-06 19:48                   ` Matthew Garrett [this message]
2008-06-06 21:14                     ` Justin Mattock
2008-06-06 21:50                       ` Matthew Garrett
2008-06-06 22:20                         ` Justin Mattock
2008-06-07  1:05                     ` Johannes Weiner
2008-06-07  2:38                       ` Justin Mattock

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:390e048 dfblob:9f30aa1 )
 OR (
bs:"Re: [PATCH] isight_firmware: Avoid crash on loading invalid firmware" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080606194856.GA17708@srcf.ucam.org \
    --to=mjg59@srcf.ucam.org \
    --cc=akpm@linux-foundation.org \
    --cc=greg@kroah.com \
    --cc=justinmattock@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox