Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3648881imu; Tue, 18 Dec 2018 01:43:12 -0800 (PST) X-Google-Smtp-Source: AFSGD/XCYOFNKYyJ2Mxtygy6TETg38t4MuAmAxzGgtCbrmHkhlgQSaWnrOC5Jjm77h6e8O9DAX6r X-Received: by 2002:a17:902:7d90:: with SMTP id a16mr15099575plm.249.1545126191983; Tue, 18 Dec 2018 01:43:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545126191; cv=none; d=google.com; s=arc-20160816; b=GOO64NK7CTofAsr4YXRP2SrT9/Qj5/rP8DM1o+C7NSMpTNmpgxaSeDvGHrmlzw0dDR Njn9/P4DEZ1PxI/ZUOP+sHm1olhNJgz8GqQjiuXaAu20teS9uYt0IG8ulcUSCuPWtNXd VHa1EbXxza/kYA2U6zLLKWPK3opILqXOpx/MiV1cHSB0UliKWSO4jvDmqoKBx1LyGiBP unpwioHOCXHke6GCesuiDR9lGn+/FAaZ43a1dpibeSbsevTajbF+CWkPP9/9vEWwRQdi FE9++MxSyMCEIOYqEI2Dw2Gs47weFNd/OnSgvfadx6/JYJ96Oh++WCRVlErVbqDn5yRy qcoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:dkim-signature; bh=wX0pUq13Go4l51GwbdelLtvBBzdYGl3gKBrSr2EjrW0=; b=Bq1bbqxAFAmh6kb3PAI7bt/fQ0NmF5ARceVsfBE0AJGjsdTuE/szgWcRobER+Y6QYm sYYBoQDrWOxjn3fCJmBPk1HRZI4zbZQkW84OMBFrxq6qurgqDCT+BF+EsDcAnzufUWhL YoW+tgkJBPGaMOGXyVBl6453igj8IcqDgw1Jt7J//8DaM5JuJ9+XRqzQ5L8ALkktArly 11rYS4usG+0EbSeWiA557Xs7dJqVBmI45kjc01+7/qmI5c7/lp9Ix2etS1nLwZn+tX17 VZks+nda7dP4k20pcshomf22Ex6+wISb6WxIpLrdDYTBzBHhYF4XhGcs1gk/oykyo1wO CrpQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b="MW/Kutmz"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b2si12499036pgq.275.2018.12.18.01.42.56; Tue, 18 Dec 2018 01:43:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b="MW/Kutmz"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726414AbeLRJmH (ORCPT + 99 others); Tue, 18 Dec 2018 04:42:07 -0500 Received: from perceval.ideasonboard.com ([213.167.242.64]:38432 "EHLO perceval.ideasonboard.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726358AbeLRJmH (ORCPT ); Tue, 18 Dec 2018 04:42:07 -0500 Received: from avalon.localnet (dfj612ybrt5fhg77mgycy-3.rev.dnainternet.fi [IPv6:2001:14ba:21f5:5b00:2e86:4862:ef6a:2804]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id AE2C953A; Tue, 18 Dec 2018 10:42:03 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1545126124; bh=XunOINnwadmpU9sTmIhA/wdBl8KY10IfxKFHeeqi4ks=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MW/KutmzKu1sS4EtaZ2OypD2PbyvAUhmLLhlisfU0C8tEiKaY1QQ7VgzkDSIdqJgt sGx7/fnkCccezUr5U6B1fJgxJYNlLAlmqhe/wuBRJPiBpDrKWhwjeOGQG9tCFVerrQ rRUEyOU6GZ7azOMi+lGY07RRyJyLu7Bl3Ie+OWpc= From: Laurent Pinchart To: Alistair Strachan Cc: linux-kernel@vger.kernel.org, syzbot , Mauro Carvalho Chehab , linux-media@vger.kernel.org, kernel-team@android.com Subject: Re: [PATCH] media: uvcvideo: Fix 'type' check leading to overflow Date: Tue, 18 Dec 2018 11:42:54 +0200 Message-ID: <45456214.XvNNoR8qLh@avalon> Organization: Ideas on Board Oy In-Reply-To: <20181217210222.115419-1-astrachan@google.com> References: <20181217210222.115419-1-astrachan@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Alistair, Thank you for the patch. On Monday, 17 December 2018 23:02:22 EET Alistair Strachan wrote: > When initially testing the Camera Terminal Descriptor wTerminalType > field (buffer[4]), no mask is used. Later in the function, the MSB is > overloaded to store the descriptor subtype, and so a mask of 0x7fff > is used to check the type. > > If a descriptor is specially crafted to set this overloaded bit in the > original wTerminalType field, the initial type check will fail (falling > through, without adjusting the buffer size), but the later type checks > will pass, assuming the buffer has been made suitably large, causing an > overflow. > > This problem could be resolved in a few different ways, but this fix > applies the same initial type check as used by UVC_ENTITY_TYPE (once we > have a 'term' structure.) Such crafted wTerminalType fields will then be > treated as *generic* Input Terminals, not as CAMERA or > MEDIA_TRANSPORT_INPUT, avoiding an overflow. > > Originally reported here: > https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8 > A similar (non-compiling) patch was provided at that time. > > Reported-by: syzbot > Signed-off-by: Alistair Strachan > Cc: Laurent Pinchart > Cc: Mauro Carvalho Chehab > Cc: linux-media@vger.kernel.org > Cc: kernel-team@android.com > --- > drivers/media/usb/uvc/uvc_driver.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/usb/uvc/uvc_driver.c > b/drivers/media/usb/uvc/uvc_driver.c index bc369a0934a3..279a967b8264 > 100644 > --- a/drivers/media/usb/uvc/uvc_driver.c > +++ b/drivers/media/usb/uvc/uvc_driver.c > @@ -1082,11 +1082,11 @@ static int uvc_parse_standard_control(struct > uvc_device *dev, p = 0; > len = 8; > > - if (type == UVC_ITT_CAMERA) { > + if ((type & 0x7fff) == UVC_ITT_CAMERA) { > n = buflen >= 15 ? buffer[14] : 0; > len = 15; > > - } else if (type == UVC_ITT_MEDIA_TRANSPORT_INPUT) { > + } else if ((type & 0x7fff) == UVC_ITT_MEDIA_TRANSPORT_INPUT) { > n = buflen >= 9 ? buffer[8] : 0; > p = buflen >= 10 + n ? buffer[9+n] : 0; > len = 10; How about rejecting invalid types instead ? Something along the lines of diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index b62cbd800111..33a22c016456 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -1106,11 +1106,19 @@ static int uvc_parse_standard_control(struct uvc_device *dev, return -EINVAL; } - /* Make sure the terminal type MSB is not null, otherwise it - * could be confused with a unit. + /* + * Reject invalid terminal types that would cause issues: + * + * - The high byte must be non-zero, otherwise it would be + * confused with a unit. + * + * - Bit 15 must be 0, as we use it internally as a terminal + * direction flag. + * + * Other unknown types are accepted. */ type = get_unaligned_le16(&buffer[4]); - if ((type & 0xff00) == 0) { + if ((type & 0x7f00) == 0 || (type & 0x8000) != 0) { uvc_trace(UVC_TRACE_DESCR, "device %d videocontrol " "interface %d INPUT_TERMINAL %d has invalid " "type 0x%04x, skipping\n", udev->devnum, -- Regards, Laurent Pinchart