Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1265069pxb; Tue, 26 Oct 2021 05:58:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwSXPlrw8J0KYD+gnD/ruxLFxbfg0dwBuBHkOvQSEO4qE+3euWxurkzoKkUKdIerl4ITs+K X-Received: by 2002:a63:8742:: with SMTP id i63mr13975828pge.391.1635253087898; Tue, 26 Oct 2021 05:58:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635253087; cv=none; d=google.com; s=arc-20160816; b=DJqQzTXfmhyroVZmClUfezQ1oAYIdMQ16E0y2sVi5FuEG2pl/P8JLUWwllhhu7uDZ/ rmpDqiVpSPYz1npvZFmY/J0tR8Zc2RG68nabHKZFLZW0zQ+uWv1NCUiU/Rc1p0B0zr7n duY74jdtOhqPJ4O2IpR/INaiUh+IxfkfhFWcMGUUbxA0/36iHslVnPNKy4dkeYI4n+95 G2SH4RzZc/WHW4vioP5d2iq4Sca1t+7OxJtB9YejGcXl5xiyV9XV/2vZqTk+DZdEepLH KcvXkoQ/I4E49ja1dqzKAa5vWdHL3nMzrTobgDto0eTRtYtz6W7gcyqElYFnlak/RwaI ongg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=jPQWX9t6YL706c/DLFOfqACLd5c26+qJQXWokZeG4Jg=; b=cgzEzrEVAQD03SrxhKUisj3M8WAZwtlEr4yY5ji1LtaDXSvZR4DQ++TcnpKlxybOUw rS3vjDtLXli6odC21/ykfIVkN9B4YgDQS7uvPlq5bGSA69COyRz8Oz/fQegkKynZDHAs zj7RNG8DRf9OlWzbLnHlhGUp+3K1g89CYW4dfnvAp7CoZk6qvu3NA3N1KzseUbAYMkPp HQq/UAbDfaDJonQLvCc7of+0/39up+YZPRsxWajLsgUbbjSbljuso6mbpml+NGFnAE8H pcTStttPJufSAKAzjv0mPxcfJnD5ozf3Cb6Z4BDOHtm4Ec7L/4fVCXjyXznZf6gipbT8 +Big== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="fBk/gxjY"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o8si1178253pfg.120.2021.10.26.05.57.53; Tue, 26 Oct 2021 05:58:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="fBk/gxjY"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233678AbhJZJ6a (ORCPT + 99 others); Tue, 26 Oct 2021 05:58:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:59768 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233386AbhJZJ63 (ORCPT ); Tue, 26 Oct 2021 05:58:29 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 49B976108D; Tue, 26 Oct 2021 09:56:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1635242166; bh=/ilLyt2le3FT2bWtymL6pE9ixHdnwtGauLPFZAdNzf4=; h=From:To:Cc:Subject:Date:From; b=fBk/gxjYOid3GvSxoecTMfLLCt1WQli0HRS1Fac9hQeLiLZWqQKykXPfUwz30bjdY 59WnlWjjGj9a5W0GAV0J7D3ZloCxAdToqvmgD2WDSMWl/n4xUbuPmxXa+LjuUYBVuN 315yyA69g8ZQGrgd0naEksXw9x4EIxmVgg2/Cugmz7Tu2k8zvGQ7hD3CRQbrVkoO1n gFzQhC7XpGGJQtZW3jEr4Jz+Uk8jK53gxO1N/rdTi7w4un1YcG/Pk23NDUIEqKJfLL U6Fz3fYubJvieAhvW32rbMdqCEZni73LdKoB8ZzDDMWzeJmRSB41721c0OkONH1TwZ yLUfexoktL8yg== Received: from johan by xi.lan with local (Exim 4.94.2) (envelope-from ) id 1mfJBN-0006x9-Vy; Tue, 26 Oct 2021 11:55:50 +0200 From: Johan Hovold To: Laurent Pinchart Cc: Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable@vger.kernel.org Subject: [PATCH] media: uvcvideo: fix division by zero at stream start Date: Tue, 26 Oct 2021 11:55:11 +0200 Message-Id: <20211026095511.26673-1-johan@kernel.org> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add the missing bulk-endpoint max-packet sanity check to probe() to avoid division by zero in uvc_alloc_urb_buffers() in case a malicious device has broken descriptors (or when doing descriptor fuzz testing). Note that USB core will reject URBs submitted for endpoints with zero wMaxPacketSize but that drivers doing packet-size calculations still need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip endpoint descriptors with maxpacket=0")). Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") Cc: stable@vger.kernel.org # 2.6.26 Signed-off-by: Johan Hovold --- drivers/media/usb/uvc/uvc_video.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c index e16464606b14..85ac5c1081b6 100644 --- a/drivers/media/usb/uvc/uvc_video.c +++ b/drivers/media/usb/uvc/uvc_video.c @@ -1958,6 +1958,10 @@ static int uvc_video_start_transfer(struct uvc_streaming *stream, if (ep == NULL) return -EIO; + /* Reject broken descriptors. */ + if (usb_endpoint_maxp(&ep->desc) == 0) + return -EIO; + ret = uvc_init_video_bulk(stream, ep, gfp_flags); } -- 2.32.0