Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp830061pja;
        Wed, 1 Apr 2020 09:28:49 -0700 (PDT)
X-Google-Smtp-Source: APiQypLkgnlq4pb5ZnJuzs5OfRmYRB8lpPMe1JXUAxOu533192Ar7wtu3krcqWCMTFP70KzkT4xh
X-Received: by 2002:a05:6808:8f:: with SMTP id s15mr3550549oic.110.1585758529022;
        Wed, 01 Apr 2020 09:28:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585758529; cv=none;
        d=google.com; s=arc-20160816;
        b=jVX0+83XrgZKg3i3l7eDbXxhiF4hHwjW91lxVXnVwFk4de0pmL6nsMeimnEZrQ5JIi
         ZDHz0KwEzm1S2REEEenLPn41eGvnmYTO1zHnDn0Rj3eSC+VOX5zJWpDeRRj2PGpdBUmC
         FLDUv/2JA7FaFpy8X0sW6c6FxYbpd0/cT5U2CFhFDOYVxzRwOePfqTs8eNc2sJJlOA0F
         chzZGInJEmjdzNFkB3MH8694jcJ8oSgy9rrwjbyZBRptWtxo0iGZClYIg0KK3p/2VNby
         6TdHWXqztH3v16alY6+EnhSBedHupT9rZzuzucL46yh07sKcd1gLort7jzHO44qvfzgN
         VI7Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=4SG2dMn5h5uvCn0OnUEzEt4ZyUs+8+QnpbSi/gTaj9E=;
        b=OBx5AcbBJbL+4PDLvdGwb9OoZTM10QQPJIUomsAtzSI4EXoQLwxMw/fgwKILcC9GlU
         TPg/2RmYsVY3wfJ0/i00RRqxYnkM+QY5BprKHE0L4z30MAGEQtkp+9YiKJH0xy67qdng
         VJNvEMwZYno3+jPIAJsY8N3CC8dNUF0jkv6OzrEwgbYQ9UolCsKTeZlQHkmis77gelKT
         15TOOTYap9USpXXbS8xNkdXVum1tXCDY2PJ8kI+xR0rUhSfswYb+9VwUTvQrX2tjPxTT
         4K/Ko5rXMaQt3Ba3nVpI+2Q5OLLdN0rifT3f6Kj5crgfgkRFg3gTaCcHzT5Yb4sXVBac
         XzLA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=KfKQCW9+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k7si1043984otp.258.2020.04.01.09.28.36;
        Wed, 01 Apr 2020 09:28:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=KfKQCW9+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387791AbgDAQ1h (ORCPT <rfc822;jaegeuk-test@gmail.com>
        + 99 others); Wed, 1 Apr 2020 12:27:37 -0400
Received: from mail.kernel.org ([198.145.29.99]:52432 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1733133AbgDAQ1f (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 1 Apr 2020 12:27:35 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 7175020BED;
        Wed,  1 Apr 2020 16:27:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1585758454;
        bh=yMlkCSjAzL6i8JFG1AkNzA7dBBbdcmVAGVf1jTVVNOI=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=KfKQCW9+GeYIV5yHDeWPtX4WWLwZx1hFJKelU3S6d0N3Mwirw2oHKuchc2A7ulHKU
         S/4IYG8h0+Yz9CZMHRfpNUJCUEuduZyZZnlx/9K+T7v/dln90E9KzKSGbC8frYjb5W
         IYtDbCSmFZnDBhWajNxqYwv3ByoixDVtJsrHjcsw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Hans de Goede <hdegoede@redhat.com>,
        Johan Hovold <johan@kernel.org>,
        Hans Verkuil <hverkuil-cisco@xs4all.nl>,
        Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Subject: [PATCH 4.19 095/116] media: xirlink_cit: add missing descriptor sanity checks
Date:   Wed,  1 Apr 2020 18:17:51 +0200
Message-Id: <20200401161554.534661665@linuxfoundation.org>
X-Mailer: git-send-email 2.26.0
In-Reply-To: <20200401161542.669484650@linuxfoundation.org>
References: <20200401161542.669484650@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Johan Hovold <johan@kernel.org>

commit a246b4d547708f33ff4d4b9a7a5dbac741dc89d8 upstream.

Make sure to check that we have two alternate settings and at least one
endpoint before accessing the second altsetting structure and
dereferencing the endpoint arrays.

This specifically avoids dereferencing NULL-pointers or corrupting
memory when a device does not have the expected descriptors.

Note that the sanity check in cit_get_packet_size() is not redundant as
the driver is mixing looking up altsettings by index and by number,
which may not coincide.

Fixes: 659fefa0eb17 ("V4L/DVB: gspca_xirlink_cit: Add support for camera with a bcd version of 0.01")
Fixes: 59f8b0bf3c12 ("V4L/DVB: gspca_xirlink_cit: support bandwidth changing for devices with 1 alt setting")
Cc: stable <stable@vger.kernel.org>     # 2.6.37
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/gspca/xirlink_cit.c |   18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

--- a/drivers/media/usb/gspca/xirlink_cit.c
+++ b/drivers/media/usb/gspca/xirlink_cit.c
@@ -1452,6 +1452,9 @@ static int cit_get_packet_size(struct gs
 		return -EIO;
 	}
 
+	if (alt->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	return le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
 }
 
@@ -2636,6 +2639,7 @@ static int sd_start(struct gspca_dev *gs
 
 static int sd_isoc_init(struct gspca_dev *gspca_dev)
 {
+	struct usb_interface_cache *intfc;
 	struct usb_host_interface *alt;
 	int max_packet_size;
 
@@ -2651,8 +2655,17 @@ static int sd_isoc_init(struct gspca_dev
 		break;
 	}
 
+	intfc = gspca_dev->dev->actconfig->intf_cache[0];
+
+	if (intfc->num_altsetting < 2)
+		return -ENODEV;
+
+	alt = &intfc->altsetting[1];
+
+	if (alt->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	/* Start isoc bandwidth "negotiation" at max isoc bandwidth */
-	alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
 	alt->endpoint[0].desc.wMaxPacketSize = cpu_to_le16(max_packet_size);
 
 	return 0;
@@ -2675,6 +2688,9 @@ static int sd_isoc_nego(struct gspca_dev
 		break;
 	}
 
+	/*
+	 * Existence of altsetting and endpoint was verified in sd_isoc_init()
+	 */
 	alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
 	packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
 	if (packet_size <= min_packet_size)