* [PATCH v2] [media] uvcvideo: Prevent heap overflow in uvc driver
@ 2017-06-30 16:21 Guenter Roeck
2017-07-06 18:39 ` Guenter Roeck
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Guenter Roeck @ 2017-06-30 16:21 UTC (permalink / raw)
To: Laurent Pinchart
Cc: Richard Simmons, Mauro Carvalho Chehab, linux-media, linux-kernel,
Robb Glasser, Guenter Roeck
The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.
Originally-from: Richard Simmons <rssimmo@amazon.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
---
Fixes CVE-2017-0627.
v2: Combination of v1 with the fix suggested by Richard Simmons
Perform validation after uvc_ctrl_fill_xu_info()
Take into account that ctrl->info.size is in bytes
Also validate mapping->size
drivers/media/usb/uvc/uvc_ctrl.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
index c2ee6e39fd0c..d3e3164f43fd 100644
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -2002,6 +2002,13 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain,
goto done;
}
+ /* validate that the user provided bit-size and offset is valid */
+ if (mapping->size > 32 ||
+ mapping->offset + mapping->size > ctrl->info.size * 8) {
+ ret = -EINVAL;
+ goto done;
+ }
+
list_for_each_entry(map, &ctrl->info.mappings, list) {
if (mapping->id == map->id) {
uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', "
--
2.7.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2] [media] uvcvideo: Prevent heap overflow in uvc driver
2017-06-30 16:21 [PATCH v2] [media] uvcvideo: Prevent heap overflow in uvc driver Guenter Roeck
@ 2017-07-06 18:39 ` Guenter Roeck
2017-07-11 16:47 ` Guenter Roeck
2017-07-12 0:58 ` Laurent Pinchart
2 siblings, 0 replies; 4+ messages in thread
From: Guenter Roeck @ 2017-07-06 18:39 UTC (permalink / raw)
To: Laurent Pinchart
Cc: Richard Simmons, Mauro Carvalho Chehab, linux-media, linux-kernel,
Robb Glasser
On Fri, Jun 30, 2017 at 09:21:56AM -0700, Guenter Roeck wrote:
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
>
> Originally-from: Richard Simmons <rssimmo@amazon.com>
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Any comments ?
Thanks,
Guenter
> ---
> Fixes CVE-2017-0627.
>
> v2: Combination of v1 with the fix suggested by Richard Simmons
> Perform validation after uvc_ctrl_fill_xu_info()
> Take into account that ctrl->info.size is in bytes
> Also validate mapping->size
>
> drivers/media/usb/uvc/uvc_ctrl.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
> index c2ee6e39fd0c..d3e3164f43fd 100644
> --- a/drivers/media/usb/uvc/uvc_ctrl.c
> +++ b/drivers/media/usb/uvc/uvc_ctrl.c
> @@ -2002,6 +2002,13 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain,
> goto done;
> }
>
> + /* validate that the user provided bit-size and offset is valid */
> + if (mapping->size > 32 ||
> + mapping->offset + mapping->size > ctrl->info.size * 8) {
> + ret = -EINVAL;
> + goto done;
> + }
> +
> list_for_each_entry(map, &ctrl->info.mappings, list) {
> if (mapping->id == map->id) {
> uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', "
> --
> 2.7.4
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] [media] uvcvideo: Prevent heap overflow in uvc driver
2017-06-30 16:21 [PATCH v2] [media] uvcvideo: Prevent heap overflow in uvc driver Guenter Roeck
2017-07-06 18:39 ` Guenter Roeck
@ 2017-07-11 16:47 ` Guenter Roeck
2017-07-12 0:58 ` Laurent Pinchart
2 siblings, 0 replies; 4+ messages in thread
From: Guenter Roeck @ 2017-07-11 16:47 UTC (permalink / raw)
To: Laurent Pinchart
Cc: Richard Simmons, Mauro Carvalho Chehab, linux-media, linux-kernel,
Robb Glasser
Any comments / feedback ?
Thanks,
Guenter
On Fri, Jun 30, 2017 at 09:21:56AM -0700, Guenter Roeck wrote:
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
>
> Originally-from: Richard Simmons <rssimmo@amazon.com>
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> ---
> Fixes CVE-2017-0627.
>
> v2: Combination of v1 with the fix suggested by Richard Simmons
> Perform validation after uvc_ctrl_fill_xu_info()
> Take into account that ctrl->info.size is in bytes
> Also validate mapping->size
>
> drivers/media/usb/uvc/uvc_ctrl.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
> index c2ee6e39fd0c..d3e3164f43fd 100644
> --- a/drivers/media/usb/uvc/uvc_ctrl.c
> +++ b/drivers/media/usb/uvc/uvc_ctrl.c
> @@ -2002,6 +2002,13 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain,
> goto done;
> }
>
> + /* validate that the user provided bit-size and offset is valid */
> + if (mapping->size > 32 ||
> + mapping->offset + mapping->size > ctrl->info.size * 8) {
> + ret = -EINVAL;
> + goto done;
> + }
> +
> list_for_each_entry(map, &ctrl->info.mappings, list) {
> if (mapping->id == map->id) {
> uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', "
> --
> 2.7.4
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] [media] uvcvideo: Prevent heap overflow in uvc driver
2017-06-30 16:21 [PATCH v2] [media] uvcvideo: Prevent heap overflow in uvc driver Guenter Roeck
2017-07-06 18:39 ` Guenter Roeck
2017-07-11 16:47 ` Guenter Roeck
@ 2017-07-12 0:58 ` Laurent Pinchart
2 siblings, 0 replies; 4+ messages in thread
From: Laurent Pinchart @ 2017-07-12 0:58 UTC (permalink / raw)
To: Guenter Roeck
Cc: Richard Simmons, Mauro Carvalho Chehab, linux-media, linux-kernel,
Robb Glasser
Hi Guenter,
Thank you for the patch and sorry for the late reply.
On Friday 30 Jun 2017 09:21:56 Guenter Roeck wrote:
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
>
> Originally-from: Richard Simmons <rssimmo@amazon.com>
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
This looks good to me.
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
and taken in my tree for v4.14 with a Cc: stable@vger.kernel.org tag to get it
backported to stable kernels.
> ---
> Fixes CVE-2017-0627.
>
> v2: Combination of v1 with the fix suggested by Richard Simmons
> Perform validation after uvc_ctrl_fill_xu_info()
> Take into account that ctrl->info.size is in bytes
> Also validate mapping->size
>
> drivers/media/usb/uvc/uvc_ctrl.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/media/usb/uvc/uvc_ctrl.c
> b/drivers/media/usb/uvc/uvc_ctrl.c index c2ee6e39fd0c..d3e3164f43fd 100644
> --- a/drivers/media/usb/uvc/uvc_ctrl.c
> +++ b/drivers/media/usb/uvc/uvc_ctrl.c
> @@ -2002,6 +2002,13 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain
> *chain, goto done;
> }
>
> + /* validate that the user provided bit-size and offset is valid */
> + if (mapping->size > 32 ||
> + mapping->offset + mapping->size > ctrl->info.size * 8) {
> + ret = -EINVAL;
> + goto done;
> + }
> +
> list_for_each_entry(map, &ctrl->info.mappings, list) {
> if (mapping->id == map->id) {
> uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s',
"
--
Regards,
Laurent Pinchart
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-07-12 0:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-30 16:21 [PATCH v2] [media] uvcvideo: Prevent heap overflow in uvc driver Guenter Roeck
2017-07-06 18:39 ` Guenter Roeck
2017-07-11 16:47 ` Guenter Roeck
2017-07-12 0:58 ` Laurent Pinchart
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox