Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp3282202ybb; Tue, 31 Mar 2020 02:02:25 -0700 (PDT) X-Google-Smtp-Source: ADFU+vugKG7TNuuVgHn8zxWpDMEy0ZQ69XNqwI3p/Kr/jVSEJ1lkRd5QFFxcHQ/BffNT7RxlKRni X-Received: by 2002:aca:dd55:: with SMTP id u82mr1371169oig.27.1585645345705; Tue, 31 Mar 2020 02:02:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585645345; cv=none; d=google.com; s=arc-20160816; b=QxWnzdB2VGs1blTuYEV8uKDwRIbmJzRxJDTC/AsF1VTfbNl4rQZQgdvtXBrMbvf+cV i8Z5DcqDoFRtAdnvlCnj2KQPfg6ABoDd2QQcSRX7fi31aT8C5ond7VUEHIOZoHD1Ls3V ZdCoabAAKgleZAQimgnewu0xRaRtxLFhgb0fROK044qtLVBcwg4Y608k/4Ar751t6hcq a+RujcW8ZsxvihQbe0ZJPs6cWdeNQ/AIZEoK8gCqhztQ/s0LS/L3363ZH6sfOBBJCsII 7v1RvwHQGXX5h4sQPNvcYxBCt68QDpWr/tj16NTeCuuqvI2tmAmmRiTd33tUymES588h qz4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ff+eEgIrFgMePZqIJ6ldvDlQ5ikna2H05zRB8cZjNn0=; b=AKWe59mKSCdQ3MWu7e/eRH32CHT/0cR7e/IwL5zYPhG6xPrw9CyUf5b2dxYpa/GuDz NldmCcpP2N6eIV/JGLDNmPMgFl7w11BpNaBdz9F4nSweDE9jdo7hJxxrNuziLc9KHc9O Ac2Qrzy3HSy9M7NkvyNRM0dykiQ9UbBF9aB3W0cuDdBh1fck/eiY93V/3PqlpAJLvauM wJlpzghVnE9/Vvn9kpRDaWHZki7v5fiio5ccc+NwPXJ05oBkClasUrCAv4KmR4oTGlED aum3fiiGbl1XLD0msIq3QxYvgqdb8trN6NBSqUvXxOOVDk6m6DVmSnLdTVbk/RRjwFfr dgmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mgNGq8XD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n70si7369942ota.89.2020.03.31.02.02.13; Tue, 31 Mar 2020 02:02:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mgNGq8XD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730569AbgCaJB0 (ORCPT + 99 others); Tue, 31 Mar 2020 05:01:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:40606 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730552AbgCaJBY (ORCPT ); Tue, 31 Mar 2020 05:01:24 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3AFF620B1F; Tue, 31 Mar 2020 09:01:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585645283; bh=TIixybRB4YOuIydEg4jkisdfemupE0rM2og/2zbTMQ0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mgNGq8XDsL14gycB77dw8Ri3zHuJTK5LSRHEcwHjTsQ3acdbFGvA7fMsptEBmE7EP VbvylKFm/WUwVfjrKihia6lMzbOYKSImv2AwK5T7QY0CDXh61SWfY7CIssVhNVyUM3 IeDbrtLoJrLbAY7jptBYjQROHjiW/AzFViMRC3x0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hans de Goede , Johan Hovold , Hans Verkuil , Mauro Carvalho Chehab Subject: [PATCH 5.6 21/23] media: stv06xx: add missing descriptor sanity checks Date: Tue, 31 Mar 2020 10:59:33 +0200 Message-Id: <20200331085317.113263716@linuxfoundation.org> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200331085308.098696461@linuxfoundation.org> References: <20200331085308.098696461@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johan Hovold commit 485b06aadb933190f4bc44e006076bc27a23f205 upstream. Make sure to check that we have two alternate settings and at least one endpoint before accessing the second altsetting structure and dereferencing the endpoint arrays. This specifically avoids dereferencing NULL-pointers or corrupting memory when a device does not have the expected descriptors. Note that the sanity checks in stv06xx_start() and pb0100_start() are not redundant as the driver is mixing looking up altsettings by index and by number, which may not coincide. Fixes: 8668d504d72c ("V4L/DVB (12082): gspca_stv06xx: Add support for st6422 bridge and sensor") Fixes: c0b33bdc5b8d ("[media] gspca-stv06xx: support bandwidth changing") Cc: stable # 2.6.31 Cc: Hans de Goede Signed-off-by: Johan Hovold Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- drivers/media/usb/gspca/stv06xx/stv06xx.c | 19 ++++++++++++++++++- drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c | 4 ++++ 2 files changed, 22 insertions(+), 1 deletion(-) --- a/drivers/media/usb/gspca/stv06xx/stv06xx.c +++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c @@ -282,6 +282,9 @@ static int stv06xx_start(struct gspca_de return -EIO; } + if (alt->desc.bNumEndpoints < 1) + return -ENODEV; + packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); err = stv06xx_write_bridge(sd, STV_ISO_SIZE_L, packet_size); if (err < 0) @@ -306,11 +309,21 @@ out: static int stv06xx_isoc_init(struct gspca_dev *gspca_dev) { + struct usb_interface_cache *intfc; struct usb_host_interface *alt; struct sd *sd = (struct sd *) gspca_dev; + intfc = gspca_dev->dev->actconfig->intf_cache[0]; + + if (intfc->num_altsetting < 2) + return -ENODEV; + + alt = &intfc->altsetting[1]; + + if (alt->desc.bNumEndpoints < 1) + return -ENODEV; + /* Start isoc bandwidth "negotiation" at max isoc bandwidth */ - alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1]; alt->endpoint[0].desc.wMaxPacketSize = cpu_to_le16(sd->sensor->max_packet_size[gspca_dev->curr_mode]); @@ -323,6 +336,10 @@ static int stv06xx_isoc_nego(struct gspc struct usb_host_interface *alt; struct sd *sd = (struct sd *) gspca_dev; + /* + * Existence of altsetting and endpoint was verified in + * stv06xx_isoc_init() + */ alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1]; packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); min_packet_size = sd->sensor->min_packet_size[gspca_dev->curr_mode]; --- a/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c +++ b/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c @@ -185,6 +185,10 @@ static int pb0100_start(struct sd *sd) alt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt); if (!alt) return -ENODEV; + + if (alt->desc.bNumEndpoints < 1) + return -ENODEV; + packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); /* If we don't have enough bandwidth use a lower framerate */