From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
Dan Carpenter <dan.carpenter@oracle.com>,
Mauro Carvalho Chehab <mchehab@redhat.com>
Subject: [15/27] [media] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
Date: Mon, 23 Jan 2012 15:41:01 -0800 [thread overview]
Message-ID: <20120123234202.949515136@clark.kroah.org> (raw)
In-Reply-To: <20120123234224.GA19510@kroah.com>
2.6.32-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 6c06108be53ca5e94d8b0e93883d534dd9079646 upstream.
If ctrls->count is too high the multiplication could overflow and
array_size would be lower than expected. Mauro and Hans Verkuil
suggested that we cap it at 1024. That comes from the maximum
number of controls with lots of room for expantion.
$ grep V4L2_CID include/linux/videodev2.h | wc -l
211
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/media/video/v4l2-ioctl.c | 6 ++++++
include/linux/videodev2.h | 1 +
2 files changed, 7 insertions(+)
--- a/drivers/media/video/v4l2-ioctl.c
+++ b/drivers/media/video/v4l2-ioctl.c
@@ -414,6 +414,9 @@ video_usercopy(struct file *file, unsign
p->error_idx = p->count;
user_ptr = (void __user *)p->controls;
if (p->count) {
+ err = -EINVAL;
+ if (p->count > V4L2_CID_MAX_CTRLS)
+ goto out_ext_ctrl;
ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
/* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
mbuf = kmalloc(ctrls_size, GFP_KERNEL);
@@ -1912,6 +1915,9 @@ long video_ioctl2(struct file *file,
p->error_idx = p->count;
user_ptr = (void __user *)p->controls;
if (p->count) {
+ err = -EINVAL;
+ if (p->count > V4L2_CID_MAX_CTRLS)
+ goto out_ext_ctrl;
ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
/* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
mbuf = kmalloc(ctrls_size, GFP_KERNEL);
--- a/include/linux/videodev2.h
+++ b/include/linux/videodev2.h
@@ -858,6 +858,7 @@ struct v4l2_querymenu {
#define V4L2_CTRL_FLAG_NEXT_CTRL 0x80000000
/* User-class control IDs defined by V4L2 */
+#define V4L2_CID_MAX_CTRLS 1024
#define V4L2_CID_BASE (V4L2_CTRL_CLASS_USER | 0x900)
#define V4L2_CID_USER_BASE V4L2_CID_BASE
/* IDs reserved for driver specific controls */
next prev parent reply other threads:[~2012-01-23 23:45 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-23 23:42 [00/27] 2.6.32.55-longterm review Greg KH
2012-01-23 23:40 ` [01/27] ext4: fix undefined behavior in ext4_fill_flex_info() Greg KH
2012-01-23 23:40 ` [02/27] ALSA: snd-usb-us122l: Delete calls to preempt_disable Greg KH
2012-01-23 23:40 ` [03/27] ALSA: ice1724 - Check for ac97 to avoid kernel oops Greg KH
2012-01-23 23:40 ` [04/27] ALSA: hda - Return the error from get_wcaps_type() for invalid NIDs Greg KH
2012-01-23 23:40 ` [05/27] HID: bump maximum global item tag report size to 96 bytes Greg KH
2012-01-23 23:40 ` [06/27] UBI: fix use-after-free on error path Greg KH
2012-01-23 23:40 ` [07/27] PCI: Fix PCI_EXP_TYPE_RC_EC value Greg KH
2012-01-23 23:40 ` [08/27] PCI: msi: Disable msi interrupts when we initialize a pci device Greg KH
2012-01-23 23:40 ` [09/27] xen/xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX Greg KH
2012-01-23 23:40 ` [10/27] ima: free duplicate measurement memory Greg KH
2012-01-23 23:40 ` [11/27] PNP: work around Dell 1536/1546 BIOS MMCONFIG bug that breaks USB Greg KH
2012-01-23 23:40 ` [12/27] x86: Fix mmap random address range Greg KH
2012-01-23 23:40 ` [13/27] UBI: fix nameless volumes handling Greg KH
2012-01-23 23:41 ` [14/27] i2c: Fix error value returned by several bus drivers Greg KH
2012-01-23 23:41 ` Greg KH [this message]
2012-01-23 23:41 ` [16/27] svcrpc: fix double-free on shutdown of nfsd after changing pool mode Greg KH
2012-01-23 23:41 ` [17/27] svcrpc: destroy server sockets all at once Greg KH
2012-01-23 23:41 ` [18/27] nfsd: Fix oops when parsing a 0 length export Greg KH
2012-01-23 23:41 ` [19/27] USB: cdc-wdm: fix misuse of logical operation in place of bitop Greg KH
2012-01-23 23:41 ` [20/27] [S390] fix cputime overflow in uptime_proc_show Greg KH
2012-01-23 23:41 ` [21/27] USB: Fix bad dma problem on WDM device disconnect Greg KH
2012-01-23 23:41 ` [22/27] block: add and use scsi_blk_cmd_ioctl Greg KH
2012-01-23 23:41 ` [23/27] kernel.h: add printk_ratelimited and pr_<level>_rl Greg KH
2012-01-24 14:46 ` Phil Carmody
2012-01-24 16:35 ` Ben Hutchings
2012-01-24 16:43 ` Greg KH
2012-01-23 23:41 ` [24/27] ALSA: HDA: Fix internal microphone on Dell Studio 16 XPS 1645 Greg KH
2012-01-23 23:41 ` [25/27] [SCSI] sym53c8xx: Fix NULL pointer dereference in slave_destroy Greg KH
2012-01-23 23:41 ` [26/27] score: fix off-by-one index into syscall table Greg KH
2012-01-23 23:41 ` [27/27] kprobes: initialize before using a hlist Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120123234202.949515136@clark.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=dan.carpenter@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab@redhat.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox