Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4830832imu; Wed, 19 Dec 2018 00:42:18 -0800 (PST) X-Google-Smtp-Source: AFSGD/XFmEBJp9G4XDNztdR7WFlRWiJive1va4mTQomYfCAfCYhlck2052ZS0i1mdCDgFu41xxeV X-Received: by 2002:a17:902:2c83:: with SMTP id n3mr19666996plb.104.1545208938599; Wed, 19 Dec 2018 00:42:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545208938; cv=none; d=google.com; s=arc-20160816; b=BPepkaNSwGFCKlXmea9cfj/i6ixGFxAnawQkbc9mts4A/HJz0pzSBkFnjvQ6aFRs2I aKOnvE/1V2HVDpUclHmrfz+wDRFkyiglRR8+U30/daT94qZ+OpC2E0d9L9BAZHfiT2rE wApsmNGUP0qpdFtAgYVgFnY4nO879SrBJuWe2oddJEJDfVtwcPRaX6avX664uKYRQnPd tDNvgG/DFE/oLOsCiO4oE72OOiXd5IgAvg1dGaWKjIZtQjSU3oH6J1655CUdDkduhbS6 4hJyxHtXbCLGXEF0iQXHjxFcUzXy2FU61+Jb42vQCDdlnFOAbMDyVPMMDUyejpOldqXj h0MA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:dkim-signature; bh=0UZhuxL38VpbKUUEuqPmQKWbDxOnZE0h93UrjaS2fCY=; b=IK3MTFcIrCVrrOxAKi+dCMIfm9MoQlx/CWrdDZguBG+cvkZUToOxM1XtHmOK0n0dM3 NttE9dpk83QuWcDxa2JL85ss3QztrLQAlT7SGi/2+9aAgbnXjD/93mP6LlKSAmCdq6hm NOR7sLbahAoU/tcqHalfQxfH8XRJeq7AvS1EEQZjwejoKPf0EtTxDhRgGUi3fqbsUDU1 GlP7Xv3x3pHCrbCRMjirZYuyHQCHtcz8aQ2TpjZp5ebVki/EVgTwGwVeqoGo4A5/e0Pr dnXInIUWT4QG5nrj16YaJW0DRHtJ5Po4URfKxya+OBwMLGRQfNlWGOg8QSc+V0pomEJF pmPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=oQ4wMY8F; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x10si6766976pgl.209.2018.12.19.00.42.02; Wed, 19 Dec 2018 00:42:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=oQ4wMY8F; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728116AbeLSIQ4 (ORCPT + 99 others); Wed, 19 Dec 2018 03:16:56 -0500 Received: from perceval.ideasonboard.com ([213.167.242.64]:59654 "EHLO perceval.ideasonboard.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727918AbeLSIQ4 (ORCPT ); Wed, 19 Dec 2018 03:16:56 -0500 Received: from avalon.localnet (dfj612ybrt5fhg77mgycy-3.rev.dnainternet.fi [IPv6:2001:14ba:21f5:5b00:2e86:4862:ef6a:2804]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id E5E1F549; Wed, 19 Dec 2018 09:16:52 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1545207413; bh=+Ihrvuu9I/2e5fhOT+vLeKL9NXmmQ+qENjywXMfbDT0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oQ4wMY8FWSRd7kGGpkQIQ1D4aAgkEPC3PL5IhSFHZFiSM9LhKYr/PDkoRXe2z6sBc KtKp/htgkTaaEh2dVkHsjXn4wNw9t5xwgxypl97Ba4QDjRmB5vSPtTKdDn0HfY6v+t T+CDcid66zLPqB6CT00+sxowJHLHsBjqa7+4tDJk= From: Laurent Pinchart To: Alistair Strachan Cc: linux-kernel@vger.kernel.org, syzbot , Mauro Carvalho Chehab , linux-media@vger.kernel.org, kernel-team@android.com Subject: Re: [PATCH v2] media: uvcvideo: Fix 'type' check leading to overflow Date: Wed, 19 Dec 2018 10:17:46 +0200 Message-ID: <7327024.PA5BtzYvEC@avalon> Organization: Ideas on Board Oy In-Reply-To: <20181219013248.94850-1-astrachan@google.com> References: <20181219013248.94850-1-astrachan@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Alistair, Thank you for the patch. On Wednesday, 19 December 2018 03:32:48 EET Alistair Strachan wrote: > From: Laurent Pinchart Are you sure you don't want to keep authorship ? I've merely reviewed v1 and proposed an alternative implementation :-) Let me know what you would prefer and I'll apply this to my tree. > When initially testing the Camera Terminal Descriptor wTerminalType > field (buffer[4]), no mask is used. Later in the function, the MSB is > overloaded to store the descriptor subtype, and so a mask of 0x7fff > is used to check the type. > > If a descriptor is specially crafted to set this overloaded bit in the > original wTerminalType field, the initial type check will fail (falling > through, without adjusting the buffer size), but the later type checks > will pass, assuming the buffer has been made suitably large, causing an > overflow. > > Avoid this problem by checking for the MSB in the wTerminalType field. > If the bit is set, assume the descriptor is bad, and abort parsing it. > > Originally reported here: > https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8 > A similar (non-compiling) patch was provided at that time. > > Reported-by: syzbot > Signed-off-by: Alistair Strachan > Cc: Laurent Pinchart > Cc: Mauro Carvalho Chehab > Cc: linux-media@vger.kernel.org > Cc: kernel-team@android.com > --- > v2: Use an alternative fix suggested by Laurent > drivers/media/usb/uvc/uvc_driver.c | 14 +++++++++++--- > 1 file changed, 11 insertions(+), 3 deletions(-) > > diff --git a/drivers/media/usb/uvc/uvc_driver.c > b/drivers/media/usb/uvc/uvc_driver.c index bc369a0934a3..7fde3ce642c4 > 100644 > --- a/drivers/media/usb/uvc/uvc_driver.c > +++ b/drivers/media/usb/uvc/uvc_driver.c > @@ -1065,11 +1065,19 @@ static int uvc_parse_standard_control(struct > uvc_device *dev, return -EINVAL; > } > > - /* Make sure the terminal type MSB is not null, otherwise it > - * could be confused with a unit. > + /* > + * Reject invalid terminal types that would cause issues: > + * > + * - The high byte must be non-zero, otherwise it would be > + * confused with a unit. > + * > + * - Bit 15 must be 0, as we use it internally as a terminal > + * direction flag. > + * > + * Other unknown types are accepted. > */ > type = get_unaligned_le16(&buffer[4]); > - if ((type & 0xff00) == 0) { > + if ((type & 0x7f00) == 0 || (type & 0x8000) != 0) { > uvc_trace(UVC_TRACE_DESCR, "device %d videocontrol " > "interface %d INPUT_TERMINAL %d has invalid " > "type 0x%04x, skipping\n", udev->devnum, -- Regards, Laurent Pinchart