Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4830832imu;
        Wed, 19 Dec 2018 00:42:18 -0800 (PST)
X-Google-Smtp-Source: AFSGD/XFmEBJp9G4XDNztdR7WFlRWiJive1va4mTQomYfCAfCYhlck2052ZS0i1mdCDgFu41xxeV
X-Received: by 2002:a17:902:2c83:: with SMTP id n3mr19666996plb.104.1545208938599;
        Wed, 19 Dec 2018 00:42:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1545208938; cv=none;
        d=google.com; s=arc-20160816;
        b=BPepkaNSwGFCKlXmea9cfj/i6ixGFxAnawQkbc9mts4A/HJz0pzSBkFnjvQ6aFRs2I
         aKOnvE/1V2HVDpUclHmrfz+wDRFkyiglRR8+U30/daT94qZ+OpC2E0d9L9BAZHfiT2rE
         wApsmNGUP0qpdFtAgYVgFnY4nO879SrBJuWe2oddJEJDfVtwcPRaX6avX664uKYRQnPd
         tDNvgG/DFE/oLOsCiO4oE72OOiXd5IgAvg1dGaWKjIZtQjSU3oH6J1655CUdDkduhbS6
         4hJyxHtXbCLGXEF0iQXHjxFcUzXy2FU61+Jb42vQCDdlnFOAbMDyVPMMDUyejpOldqXj
         h0MA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:organization:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=0UZhuxL38VpbKUUEuqPmQKWbDxOnZE0h93UrjaS2fCY=;
        b=IK3MTFcIrCVrrOxAKi+dCMIfm9MoQlx/CWrdDZguBG+cvkZUToOxM1XtHmOK0n0dM3
         NttE9dpk83QuWcDxa2JL85ss3QztrLQAlT7SGi/2+9aAgbnXjD/93mP6LlKSAmCdq6hm
         NOR7sLbahAoU/tcqHalfQxfH8XRJeq7AvS1EEQZjwejoKPf0EtTxDhRgGUi3fqbsUDU1
         GlP7Xv3x3pHCrbCRMjirZYuyHQCHtcz8aQ2TpjZp5ebVki/EVgTwGwVeqoGo4A5/e0Pr
         dnXInIUWT4QG5nrj16YaJW0DRHtJ5Po4URfKxya+OBwMLGRQfNlWGOg8QSc+V0pomEJF
         pmPQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=oQ4wMY8F;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x10si6766976pgl.209.2018.12.19.00.42.02;
        Wed, 19 Dec 2018 00:42:18 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=oQ4wMY8F;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728116AbeLSIQ4 (ORCPT <rfc822;uzarths@gmail.com> + 99 others);
        Wed, 19 Dec 2018 03:16:56 -0500
Received: from perceval.ideasonboard.com ([213.167.242.64]:59654 "EHLO
        perceval.ideasonboard.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727918AbeLSIQ4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 19 Dec 2018 03:16:56 -0500
Received: from avalon.localnet (dfj612ybrt5fhg77mgycy-3.rev.dnainternet.fi [IPv6:2001:14ba:21f5:5b00:2e86:4862:ef6a:2804])
        by perceval.ideasonboard.com (Postfix) with ESMTPSA id E5E1F549;
        Wed, 19 Dec 2018 09:16:52 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;
        s=mail; t=1545207413;
        bh=+Ihrvuu9I/2e5fhOT+vLeKL9NXmmQ+qENjywXMfbDT0=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=oQ4wMY8FWSRd7kGGpkQIQ1D4aAgkEPC3PL5IhSFHZFiSM9LhKYr/PDkoRXe2z6sBc
         KtKp/htgkTaaEh2dVkHsjXn4wNw9t5xwgxypl97Ba4QDjRmB5vSPtTKdDn0HfY6v+t
         T+CDcid66zLPqB6CT00+sxowJHLHsBjqa7+4tDJk=
From:   Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To:     Alistair Strachan <astrachan@google.com>
Cc:     linux-kernel@vger.kernel.org, syzbot <syzkaller@googlegroups.com>,
        Mauro Carvalho Chehab <mchehab@kernel.org>,
        linux-media@vger.kernel.org, kernel-team@android.com
Subject: Re: [PATCH v2] media: uvcvideo: Fix 'type' check leading to overflow
Date:   Wed, 19 Dec 2018 10:17:46 +0200
Message-ID: <7327024.PA5BtzYvEC@avalon>
Organization: Ideas on Board Oy
In-Reply-To: <20181219013248.94850-1-astrachan@google.com>
References: <20181219013248.94850-1-astrachan@google.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Alistair,

Thank you for the patch.

On Wednesday, 19 December 2018 03:32:48 EET Alistair Strachan wrote:
> From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

Are you sure you don't want to keep authorship ? I've merely reviewed v1 and 
proposed an alternative implementation :-) Let me know what you would prefer 
and I'll apply this to my tree.

> When initially testing the Camera Terminal Descriptor wTerminalType
> field (buffer[4]), no mask is used. Later in the function, the MSB is
> overloaded to store the descriptor subtype, and so a mask of 0x7fff
> is used to check the type.
> 
> If a descriptor is specially crafted to set this overloaded bit in the
> original wTerminalType field, the initial type check will fail (falling
> through, without adjusting the buffer size), but the later type checks
> will pass, assuming the buffer has been made suitably large, causing an
> overflow.
> 
> Avoid this problem by checking for the MSB in the wTerminalType field.
> If the bit is set, assume the descriptor is bad, and abort parsing it.
> 
> Originally reported here:
> https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
> A similar (non-compiling) patch was provided at that time.
> 
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Signed-off-by: Alistair Strachan <astrachan@google.com>
> Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
> Cc: linux-media@vger.kernel.org
> Cc: kernel-team@android.com
> ---
> v2: Use an alternative fix suggested by Laurent
>  drivers/media/usb/uvc/uvc_driver.c | 14 +++++++++++---
>  1 file changed, 11 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/media/usb/uvc/uvc_driver.c
> b/drivers/media/usb/uvc/uvc_driver.c index bc369a0934a3..7fde3ce642c4
> 100644
> --- a/drivers/media/usb/uvc/uvc_driver.c
> +++ b/drivers/media/usb/uvc/uvc_driver.c
> @@ -1065,11 +1065,19 @@ static int uvc_parse_standard_control(struct
> uvc_device *dev, return -EINVAL;
>  		}
> 
> -		/* Make sure the terminal type MSB is not null, otherwise it
> -		 * could be confused with a unit.
> +		/*
> +		 * Reject invalid terminal types that would cause issues:
> +		 *
> +		 * - The high byte must be non-zero, otherwise it would be
> +		 *   confused with a unit.
> +		 *
> +		 * - Bit 15 must be 0, as we use it internally as a terminal
> +		 *   direction flag.
> +		 *
> +		 * Other unknown types are accepted.
>  		 */
>  		type = get_unaligned_le16(&buffer[4]);
> -		if ((type & 0xff00) == 0) {
> +		if ((type & 0x7f00) == 0 || (type & 0x8000) != 0) {
>  			uvc_trace(UVC_TRACE_DESCR, "device %d videocontrol "
>  				"interface %d INPUT_TERMINAL %d has invalid "
>  				"type 0x%04x, skipping\n", udev->devnum,

-- 
Regards,

Laurent Pinchart