Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4579639imu; Tue, 18 Dec 2018 18:21:51 -0800 (PST) X-Google-Smtp-Source: AFSGD/U+SGMwO4qbouG+4h7nYCbY5XIkkjv3lKd28B4zRzTWxE7aI/IYFHHrqwzv8cT6j4xSK8Uw X-Received: by 2002:a17:902:64c1:: with SMTP id y1mr18535073pli.64.1545186110951; Tue, 18 Dec 2018 18:21:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545186110; cv=none; d=google.com; s=arc-20160816; b=MSHtF5JQG1EWM8SqIdfu2HTR7GU5Q8z3oVP/gpOSytmXHwtIgog3xBmJHIgYZ3fwWx uu1S33fKPeIfyMG+R3YXI+OT8WLpYFZgl148StG604nKVibr6xqXE2fCamXWmiA3msoG I4vCAIf3Iv9XHoIHSeYnI1Jpi0fhRXauY+b9jS1S2WcHvIRLqMKRhU3dYl/SjP+FZbTh kjvgwndKYAZkqQ7LWbZKkqmszhCfSNNi/EpXJgdpwZJzhm9mA02pcuLBJ7mLnF7c0ToH Gi83PIR+7rHhCz80J6XysNHaxgxAUazlHXho0gyJfRnF7Uo3BujjoTaExczULdrN3EDA 5eGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature; bh=yj76ol9i47/AU4bCLurPYgGV6L9o3/EOqtXfA4wPq+A=; b=o+udc9sJhC9NOXVvWAoU2gCQKwIVPbiWUR/kyzcOi2kBfFsfk8CTUAxUEsed0AB91v DcyIVZLC2lwg1Jr997ovhtPsmMaF80WFGcxUmNb4hQYrcIu33CyQ+6Xp/K6BKrV1biis WQU7s+zWpdr05CsqIU2xaDIaLOmNHN+DvqfsgNvCo81De1LU3ePqdRqvZ6sh7/Iu8pP0 Pur2Jm7oSqh+t1X2jrd/zhGtr52l28HiRS20rZeQC6JLOXQhHyaZA0sekH+CAg+uSBzE x2ttXgSbU/UhCGfNz8Tzai8r3ZEQhyZ70608Y52m+bDGob8b52Dif9a7TzO6n+b8XlWq vLsg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ccW+soL9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x1si15227564plb.366.2018.12.18.18.21.35; Tue, 18 Dec 2018 18:21:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ccW+soL9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727864AbeLSBcv (ORCPT + 99 others); Tue, 18 Dec 2018 20:32:51 -0500 Received: from mail-pf1-f201.google.com ([209.85.210.201]:55918 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727724AbeLSBcv (ORCPT ); Tue, 18 Dec 2018 20:32:51 -0500 Received: by mail-pf1-f201.google.com with SMTP id s71so16824391pfi.22 for ; Tue, 18 Dec 2018 17:32:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=yj76ol9i47/AU4bCLurPYgGV6L9o3/EOqtXfA4wPq+A=; b=ccW+soL99zIuLrbpZQ5MZTZvTWDXGRbiAp1zmUnSXMXefFXAxeb0rIeIuXwuvzG5+I ssDfIski0BrVXYFuzgR1x0RsdA2g32Q1j94U1OAfwge2YnUrVqrDHD2mwj5ytCuLbkWC DikTHv6PuVi6nTE2KS7vMHA7PBIt4++slRMiW+NRRJjs7WuO3qlfapkXvEx3AOymJb3U obFhtU98aFv4gYGQv8/mVU1fxyGA9DdLEsyVAEjHudWuRynhJOrzKu8HFX526hBSpoLw 7g1p/HSM0tBDCrhPAY3IaksThf8hq0X2SZwoU1K1E3XMSjW4gg0ZbGDm6GvJpqBf2Eyt VpsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=yj76ol9i47/AU4bCLurPYgGV6L9o3/EOqtXfA4wPq+A=; b=rmZmaMXXWlIH1+4vLdxa9d/pDwrQm7J6FPfdaptQ1t9Y6BYoeArPecHa50IqF/dXC1 MNimCV4GQn0NBCOfCfSwxRXJdbSX2GKjjPXVxmf5GN2IVztkCpWo5RloXPnZmLNkJCz0 n5EkC/5U58PC4AEKnwrfCHwVU5p2UxJlzILWgErHiAZNb6Jm3jnA4iY03Ttlm1SQj1Vt LiU0SI6V4ElXtXTR1D9+vVq/dkfaVEFHzGfYQ7NfROw3aMrd70dTrOXuiC3lw//3aYUU mk/wtL4ZKFvIFSV4SM96NwpEjiOYohLzsic+7N7PJ6z89kUMj83z3/X5HVCybmEn01Ea UlWg== X-Gm-Message-State: AA+aEWaXX2ydMvmGYWucWOSNqc48d1AT8OJBJoAIX2gHik8pfAhq/uaX VuZFRuwg7ehe01qQ6Kn6adnrmIhLQ/Znvd2swvwHYo/yjHzflcqJxo7TvZkHKnRxemdauVSFGJ9 1tXyyf2H/Q840sEZzU8ABdXZz+9HKsSVLbmZqg3LrF5KCxIX+EMYEicYSTxLpHUtN2rW6hFVzlU QvSg== X-Received: by 2002:a63:480a:: with SMTP id v10mr10661000pga.105.1545183170432; Tue, 18 Dec 2018 17:32:50 -0800 (PST) Date: Tue, 18 Dec 2018 17:32:48 -0800 Message-Id: <20181219013248.94850-1-astrachan@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.20.1.415.g653613c723-goog Subject: [PATCH v2] media: uvcvideo: Fix 'type' check leading to overflow From: Alistair Strachan To: linux-kernel@vger.kernel.org Cc: syzbot , Laurent Pinchart , Mauro Carvalho Chehab , linux-media@vger.kernel.org, kernel-team@android.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Laurent Pinchart When initially testing the Camera Terminal Descriptor wTerminalType field (buffer[4]), no mask is used. Later in the function, the MSB is overloaded to store the descriptor subtype, and so a mask of 0x7fff is used to check the type. If a descriptor is specially crafted to set this overloaded bit in the original wTerminalType field, the initial type check will fail (falling through, without adjusting the buffer size), but the later type checks will pass, assuming the buffer has been made suitably large, causing an overflow. Avoid this problem by checking for the MSB in the wTerminalType field. If the bit is set, assume the descriptor is bad, and abort parsing it. Originally reported here: https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8 A similar (non-compiling) patch was provided at that time. Reported-by: syzbot Signed-off-by: Alistair Strachan Cc: Laurent Pinchart Cc: Mauro Carvalho Chehab Cc: linux-media@vger.kernel.org Cc: kernel-team@android.com --- v2: Use an alternative fix suggested by Laurent drivers/media/usb/uvc/uvc_driver.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index bc369a0934a3..7fde3ce642c4 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -1065,11 +1065,19 @@ static int uvc_parse_standard_control(struct uvc_device *dev, return -EINVAL; } - /* Make sure the terminal type MSB is not null, otherwise it - * could be confused with a unit. + /* + * Reject invalid terminal types that would cause issues: + * + * - The high byte must be non-zero, otherwise it would be + * confused with a unit. + * + * - Bit 15 must be 0, as we use it internally as a terminal + * direction flag. + * + * Other unknown types are accepted. */ type = get_unaligned_le16(&buffer[4]); - if ((type & 0xff00) == 0) { + if ((type & 0x7f00) == 0 || (type & 0x8000) != 0) { uvc_trace(UVC_TRACE_DESCR, "device %d videocontrol " "interface %d INPUT_TERMINAL %d has invalid " "type 0x%04x, skipping\n", udev->devnum, -- 2.20.1.415.g653613c723-goog