Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2333209ybz; Thu, 23 Apr 2020 16:12:23 -0700 (PDT) X-Google-Smtp-Source: APiQypKRmD6oMbam2P35zODiPh+FFIiO/YZCfnuLgFSOzoM2qkdr7TNj0LYkSkhhQQmeFGgc8C3o X-Received: by 2002:aa7:c643:: with SMTP id z3mr4151305edr.154.1587683543603; Thu, 23 Apr 2020 16:12:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587683543; cv=none; d=google.com; s=arc-20160816; b=I7KRSZ3vmA1X3WOMK3YJYYZtQABInz7H+s/WmI6PyCSFqKO14khuxaXgY4LrvHMLKT D22EtvksgsCt7XsnsI2CX4LrsASAMvAUdtPzZsfmty4s7fgoRq0FKx9Y4dnD1/DyHSk1 LXDUgsBlZ1FF7IDnc7LNd85UVyWuCf+uMWFzq4MXgmwb/AwPPb1tijIFCskRYs9eWnwk DjNrzDcbwsfJWGm3e8DFL9OsWPCFZ43dqHI70aLLG3tBN9xCNSk1GZtgyPYP2pY8Bz/M EfKawErRMpMcf1XVVJgQrDe7qyNb+c2Dc/uV3h37fWzm/KKn6MU+jX8VDr6z+lDZkvpd Wo4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=9JjC5mxwumk87W2mITf7Cp6Rxmi9E/EHHLAp5wQhQlY=; b=JdgcMjQIphLR0b7pWSoWwFsZVmxpXhr4SCurql52/9oJwdFFQzh3MdzVVI8cvp2+Rq 5tCQqiEspZkbvD9BpO2bgiyXMIdfzE5mjLIEwEhvYqxNKiGMlJaayxW+4Kua6llkkwvf M/X04PnwsjUAohMvXeKcU7OywOPTMF8AWhI1ooQx1yNCYaj+dAVsrbUo0C18REXmtJaR 5fYK0TO9kf7wU2SpNV3AG16YedhK6BkC6lq/ZTTrA8jqwoJI9jCoC321hYhKb7X9UNFA WZ0EfHiJfY6dSvrZJE1ig4v9mVLLrp4cHKl1daB+8Y48g7kDNl2XRanj5wkfbwa2uyLY QeSA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f23si2208763ejf.414.2020.04.23.16.12.00; Thu, 23 Apr 2020 16:12:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729069AbgDWXJh (ORCPT + 99 others); Thu, 23 Apr 2020 19:09:37 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:50912 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728657AbgDWXG6 (ORCPT ); Thu, 23 Apr 2020 19:06:58 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jRkvl-0004yp-E1; Fri, 24 Apr 2020 00:06:53 +0100 Received: from ben by deadeye with local (Exim 4.93) (envelope-from ) id 1jRkvh-00E72j-Nc; Fri, 24 Apr 2020 00:06:49 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , "Hans Verkuil" , "Hans de Goede" , "Mauro Carvalho Chehab" , "Johan Hovold" Date: Fri, 24 Apr 2020 00:07:36 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 229/245] media: xirlink_cit: add missing descriptor sanity checks In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.83-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Johan Hovold commit a246b4d547708f33ff4d4b9a7a5dbac741dc89d8 upstream. Make sure to check that we have two alternate settings and at least one endpoint before accessing the second altsetting structure and dereferencing the endpoint arrays. This specifically avoids dereferencing NULL-pointers or corrupting memory when a device does not have the expected descriptors. Note that the sanity check in cit_get_packet_size() is not redundant as the driver is mixing looking up altsettings by index and by number, which may not coincide. Fixes: 659fefa0eb17 ("V4L/DVB: gspca_xirlink_cit: Add support for camera with a bcd version of 0.01") Fixes: 59f8b0bf3c12 ("V4L/DVB: gspca_xirlink_cit: support bandwidth changing for devices with 1 alt setting") Cc: Hans de Goede Signed-off-by: Johan Hovold Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings --- drivers/media/usb/gspca/xirlink_cit.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) --- a/drivers/media/usb/gspca/xirlink_cit.c +++ b/drivers/media/usb/gspca/xirlink_cit.c @@ -1455,6 +1455,9 @@ static int cit_get_packet_size(struct gs return -EIO; } + if (alt->desc.bNumEndpoints < 1) + return -ENODEV; + return le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); } @@ -2632,6 +2635,7 @@ static int sd_start(struct gspca_dev *gs static int sd_isoc_init(struct gspca_dev *gspca_dev) { + struct usb_interface_cache *intfc; struct usb_host_interface *alt; int max_packet_size; @@ -2647,8 +2651,17 @@ static int sd_isoc_init(struct gspca_dev break; } + intfc = gspca_dev->dev->actconfig->intf_cache[0]; + + if (intfc->num_altsetting < 2) + return -ENODEV; + + alt = &intfc->altsetting[1]; + + if (alt->desc.bNumEndpoints < 1) + return -ENODEV; + /* Start isoc bandwidth "negotiation" at max isoc bandwidth */ - alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1]; alt->endpoint[0].desc.wMaxPacketSize = cpu_to_le16(max_packet_size); return 0; @@ -2671,6 +2684,9 @@ static int sd_isoc_nego(struct gspca_dev break; } + /* + * Existence of altsetting and endpoint was verified in sd_isoc_init() + */ alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1]; packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); if (packet_size <= min_packet_size)