Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751922AbdF1SSr (ORCPT <rfc822;w@1wt.eu>);
        Wed, 28 Jun 2017 14:18:47 -0400
Received: from galahad.ideasonboard.com ([185.26.127.97]:38158 "EHLO
        galahad.ideasonboard.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751492AbdF1SSl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 28 Jun 2017 14:18:41 -0400
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: Guenter Roeck <linux@roeck-us.net>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>,
        linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
        Robb Glasser <rglasser@google.com>
Subject: Re: [media] uvcvideo: Prevent heap overflow in uvc driver
Date: Wed, 28 Jun 2017 21:18:37 +0300
Message-ID: <1612560.vxfrDdQTFq@avalon>
User-Agent: KMail/4.14.10 (Linux/4.9.16-gentoo; KDE/4.14.32; x86_64; ; )
In-Reply-To: <1797631.lsAEjhpLaU@avalon>
References: <1495482484-32125-1-git-send-email-linux@roeck-us.net> <20170628143643.GA30654@roeck-us.net> <1797631.lsAEjhpLaU@avalon>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2057
Lines: 64

Hi Guenter,

On Wednesday 28 Jun 2017 20:59:17 Laurent Pinchart wrote:
> On Wednesday 28 Jun 2017 07:36:43 Guenter Roeck wrote:
> > On Mon, May 22, 2017 at 12:48:04PM -0700, Guenter Roeck wrote:
> >> From: Robb Glasser <rglasser@google.com>
> >> 
> >> The size of uvc_control_mapping is user controlled leading to a
> >> potential heap overflow in the uvc driver. This adds a check to verify
> >> the user provided size fits within the bounds of the defined buffer
> >> size.
> >> 
> >> Signed-off-by: Robb Glasser <rglasser@google.com>
> >> [groeck: cherry picked from
> >> 
> >>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
> >>  commit b7b99e55bc7770187913ed092990852ea52d7892;
> >>  updated subject]
> >> 
> >> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> >> ---
> >> Fixes CVE-2017-0627.
> > 
> > Please do not apply this patch. It is buggy.
> 
> I apologize for not noticing the initial patch, even if it looks like it was
> all for the best. Will you send a new version ?
> 
> >>  drivers/media/usb/uvc/uvc_ctrl.c | 3 +++
> >>  1 file changed, 3 insertions(+)
> >> 
> >> diff --git a/drivers/media/usb/uvc/uvc_ctrl.c
> >> b/drivers/media/usb/uvc/uvc_ctrl.c index c2ee6e39fd0c..252ab991396f
> >> 100644
> >> --- a/drivers/media/usb/uvc/uvc_ctrl.c
> >> +++ b/drivers/media/usb/uvc/uvc_ctrl.c
> >> @@ -1992,6 +1992,9 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain
> >> *chain,
> >>  	if (!found)
> >>  		return -ENOENT;
> >> 
> >> +	if (ctrl->info.size < mapping->size)
> >> +		return -EINVAL;
> >> +

By the way, I believe the right fix should be

	if (mapping->offset + mapping->size > ctrl->info.size * 8)
		return -EINVAL;

Both mapping->offset and mapping->size are 8-bit integers, so there's no risk 
of overflow in the addition. If we want to safeguard against a possible future 
bug if the type of the fields change, we could add

	if (mapping->offset + mapping->size < mapping->offset)
		return -EINVAL;

> >>  	if (mutex_lock_interruptible(&chain->ctrl_mutex))
> >>  		return -ERESTARTSYS;

-- 
Regards,

Laurent Pinchart