Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752790AbdGFSjj (ORCPT ); Thu, 6 Jul 2017 14:39:39 -0400 Received: from bh-25.webhostbox.net ([208.91.199.152]:48166 "EHLO bh-25.webhostbox.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752351AbdGFSji (ORCPT ); Thu, 6 Jul 2017 14:39:38 -0400 Date: Thu, 6 Jul 2017 11:39:35 -0700 From: Guenter Roeck To: Laurent Pinchart Cc: Richard Simmons , Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Robb Glasser Subject: Re: [PATCH v2] [media] uvcvideo: Prevent heap overflow in uvc driver Message-ID: <20170706183935.GA13082@roeck-us.net> References: <1498839716-31918-1-git-send-email-linux@roeck-us.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1498839716-31918-1-git-send-email-linux@roeck-us.net> User-Agent: Mutt/1.5.24 (2015-08-30) X-Authenticated_sender: guenter@roeck-us.net X-OutGoing-Spam-Status: No, score=-1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - bh-25.webhostbox.net X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - roeck-us.net X-Get-Message-Sender-Via: bh-25.webhostbox.net: authenticated_id: guenter@roeck-us.net X-Authenticated-Sender: bh-25.webhostbox.net: guenter@roeck-us.net X-Source: X-Source-Args: X-Source-Dir: Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1457 Lines: 46 On Fri, Jun 30, 2017 at 09:21:56AM -0700, Guenter Roeck wrote: > The size of uvc_control_mapping is user controlled leading to a > potential heap overflow in the uvc driver. This adds a check to verify > the user provided size fits within the bounds of the defined buffer > size. > > Originally-from: Richard Simmons > Signed-off-by: Guenter Roeck Any comments ? Thanks, Guenter > --- > Fixes CVE-2017-0627. > > v2: Combination of v1 with the fix suggested by Richard Simmons > Perform validation after uvc_ctrl_fill_xu_info() > Take into account that ctrl->info.size is in bytes > Also validate mapping->size > > drivers/media/usb/uvc/uvc_ctrl.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c > index c2ee6e39fd0c..d3e3164f43fd 100644 > --- a/drivers/media/usb/uvc/uvc_ctrl.c > +++ b/drivers/media/usb/uvc/uvc_ctrl.c > @@ -2002,6 +2002,13 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain, > goto done; > } > > + /* validate that the user provided bit-size and offset is valid */ > + if (mapping->size > 32 || > + mapping->offset + mapping->size > ctrl->info.size * 8) { > + ret = -EINVAL; > + goto done; > + } > + > list_for_each_entry(map, &ctrl->info.mappings, list) { > if (mapping->id == map->id) { > uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', " > -- > 2.7.4 >