Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp830005pja;
        Wed, 1 Apr 2020 09:28:45 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vuL0YS5VfhoSd8FERarnBSMnSyVtsngV7s9kCKj1+lpeFgHDTUQlXr7VHg3ogFkGv2pOFaI
X-Received: by 2002:a9d:a68:: with SMTP id 95mr16416468otg.87.1585758523269;
        Wed, 01 Apr 2020 09:28:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585758523; cv=none;
        d=google.com; s=arc-20160816;
        b=klo6Oc1WwMcHQSlwFBTWxEZjgTZT8Lh/YWYzcaR646dGLY1fP5PmLjOohX8GVSwjtZ
         sZnhe+WzNRm9BCD60sjXABAzJMrBiIbTP09vm3XI+6XjWaKLA/V0aFnMWHiAXC92N9pZ
         n0AIs/GOu/3M30ly3QveYnuWw3HyCVkVmUdCZYTCCvr4iXG5azfb5pO33wKv83nvRPE8
         S5W2sB8OiOjka6ohATac+tVJ+Zz5MOky6KlZlVcZWGy5vxpLCJ48pB9K0s7vsA9JHsj1
         9Jl8x4FaiCNuua3VX0zuMsuDClx/xWmYIJ3iV4L10tUqw/k35PdT3kA7Vq0iagByu1Lr
         iTMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=+AA4u8q9qP3deljDSZ5vtzp02z49H/O2FUK1cxL+v70=;
        b=BTLMorU4VC8uRX5KSEvdv/K71yAg53DHOubORwEcdvZHehM8hiWEKvEPx/zVVL/DqG
         m3h6uDhd3R+jmQ/qfmMn5xNKJIQSqM7er0+C0R0LAZXxcEnMUUVK3XRTP9yVrp0n4Xz8
         iafXGfzILCfPUWFxn41R3cehVs8wOHaLv5SZ/TTH1cCfNtZzE3j/LJ5/MkfLmQ/bLBaw
         HGIVJSjg5CAJUWhbk0SEuAVGZ9Gx+HBP4vO4JnHCUPC/2RZ0urwJNfvqSIejrOEsCKx6
         qJpXVTvRivn7CzLlydrwE7c167vTu0ElDYGLy2plRNza757Q9+0X6fqKQVw+xh302deo
         1cyQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=puEblgIS;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d125si1108400oif.236.2020.04.01.09.28.30;
        Wed, 01 Apr 2020 09:28:43 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=puEblgIS;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387845AbgDAQ1c (ORCPT <rfc822;jaegeuk-test@gmail.com>
        + 99 others); Wed, 1 Apr 2020 12:27:32 -0400
Received: from mail.kernel.org ([198.145.29.99]:52330 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1733133AbgDAQ1b (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 1 Apr 2020 12:27:31 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id BBA2020857;
        Wed,  1 Apr 2020 16:27:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1585758450;
        bh=gESZ+k3uAigjSvjDEXd0JIolkravefDLDKG+O2C0yuU=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=puEblgISkAvu97sSDaZm7wcEkGP/2eq+itn/pjlH9Ae+ggnvuYM26IyX1x8Tazy/E
         eYtvIOnzl0e7yJqxKDQWTXlguYOEuPZwKrxRorrtuTB/OBAsyXaX9J84vJdHcBptdZ
         T8wDa6lEHO/sUWzPa9KgVitHasEuQfBoNWU2rMvo=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Hans de Goede <hdegoede@redhat.com>,
        Johan Hovold <johan@kernel.org>,
        Hans Verkuil <hverkuil-cisco@xs4all.nl>,
        Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Subject: [PATCH 4.19 094/116] media: stv06xx: add missing descriptor sanity checks
Date:   Wed,  1 Apr 2020 18:17:50 +0200
Message-Id: <20200401161554.428688790@linuxfoundation.org>
X-Mailer: git-send-email 2.26.0
In-Reply-To: <20200401161542.669484650@linuxfoundation.org>
References: <20200401161542.669484650@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Johan Hovold <johan@kernel.org>

commit 485b06aadb933190f4bc44e006076bc27a23f205 upstream.

Make sure to check that we have two alternate settings and at least one
endpoint before accessing the second altsetting structure and
dereferencing the endpoint arrays.

This specifically avoids dereferencing NULL-pointers or corrupting
memory when a device does not have the expected descriptors.

Note that the sanity checks in stv06xx_start() and pb0100_start() are
not redundant as the driver is mixing looking up altsettings by index
and by number, which may not coincide.

Fixes: 8668d504d72c ("V4L/DVB (12082): gspca_stv06xx: Add support for st6422 bridge and sensor")
Fixes: c0b33bdc5b8d ("[media] gspca-stv06xx: support bandwidth changing")
Cc: stable <stable@vger.kernel.org>     # 2.6.31
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/gspca/stv06xx/stv06xx.c        |   19 ++++++++++++++++++-
 drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c |    4 ++++
 2 files changed, 22 insertions(+), 1 deletion(-)

--- a/drivers/media/usb/gspca/stv06xx/stv06xx.c
+++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c
@@ -291,6 +291,9 @@ static int stv06xx_start(struct gspca_de
 		return -EIO;
 	}
 
+	if (alt->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
 	err = stv06xx_write_bridge(sd, STV_ISO_SIZE_L, packet_size);
 	if (err < 0)
@@ -315,11 +318,21 @@ out:
 
 static int stv06xx_isoc_init(struct gspca_dev *gspca_dev)
 {
+	struct usb_interface_cache *intfc;
 	struct usb_host_interface *alt;
 	struct sd *sd = (struct sd *) gspca_dev;
 
+	intfc = gspca_dev->dev->actconfig->intf_cache[0];
+
+	if (intfc->num_altsetting < 2)
+		return -ENODEV;
+
+	alt = &intfc->altsetting[1];
+
+	if (alt->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	/* Start isoc bandwidth "negotiation" at max isoc bandwidth */
-	alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
 	alt->endpoint[0].desc.wMaxPacketSize =
 		cpu_to_le16(sd->sensor->max_packet_size[gspca_dev->curr_mode]);
 
@@ -332,6 +345,10 @@ static int stv06xx_isoc_nego(struct gspc
 	struct usb_host_interface *alt;
 	struct sd *sd = (struct sd *) gspca_dev;
 
+	/*
+	 * Existence of altsetting and endpoint was verified in
+	 * stv06xx_isoc_init()
+	 */
 	alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
 	packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
 	min_packet_size = sd->sensor->min_packet_size[gspca_dev->curr_mode];
--- a/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
+++ b/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
@@ -194,6 +194,10 @@ static int pb0100_start(struct sd *sd)
 	alt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt);
 	if (!alt)
 		return -ENODEV;
+
+	if (alt->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
 
 	/* If we don't have enough bandwidth use a lower framerate */