From patchwork Tue May  8 07:57:47 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Po-Hsu Lin <po-hsu.lin@canonical.com>
X-Patchwork-Id: 910051
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 40gBgd0fDTz9s0W;
	Tue,  8 May 2018 17:58:21 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1fFxVn-00029Q-KE; Tue, 08 May 2018 07:58:15 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <po-hsu.lin@canonical.com>)
	id 1fFxVm-000298-Jh
	for kernel-team@lists.ubuntu.com; Tue, 08 May 2018 07:58:14 +0000
Received: from mail-pl0-f72.google.com ([209.85.160.72])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <po-hsu.lin@canonical.com>)
	id 1fFxVm-00009f-8M
	for kernel-team@lists.ubuntu.com; Tue, 08 May 2018 07:58:14 +0000
Received: by mail-pl0-f72.google.com with SMTP id t5-v6so1366295ply.13
	for <kernel-team@lists.ubuntu.com>;
	Tue, 08 May 2018 00:58:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=64OLYU8LAB4uVF6O6PX5cWlIEwAsYCjdxwP02LH0oY4=;
	b=qlmGToQ4d2wUFCyaMeMRm0y8wiji2ZvJqDqGaCOl/8YlTuIRHkOE7rZw2hbBE//Msw
	TDcgqh/I69OMC/SN/6ZLWSV3yni0pf1EPDRePbsb1GTbY/Pbl+Wn8gzuAG7BaHeMenTn
	Ky/9PuhND2j3KaI2XjbYGgqdsyMJSPo8b9MkXIsry5VK5gfd5wPiVgwUGOAaG5zbHSej
	vEdzh8q1F/agsT4GHHht2lAVrnwylhUG8oy6XQMxfLPeUysfAkt4k0eGKZyZQVLejmt1
	QP9QkAd3xBEnwN1d1sUXkqgFYmZwRFqoB3WHpMTkJhZZ5bCuiAtZerHkiZu8xcSp7B8/
	ofHg==
X-Gm-Message-State: ALQs6tBGhqBrPEXrlS++zR2P6UsirMbCTqKwKX9K9009ZQSfZ0b9h88C
	ap6iuYr9B0JANJy1GLJlZK/pcH8KA6F3AO/FMCDrM0LTP3krVoZK8VNaI2mympeDGXjRO13GWBa
	rYzW7htQn5BTGToIhWQABElK/p3xi3mt9KMCopJxp
X-Received: by 10.98.147.66 with SMTP id b63mr39260535pfe.130.1525766292806;
	Tue, 08 May 2018 00:58:12 -0700 (PDT)
X-Google-Smtp-Source: 
 AB8JxZracQgdhy+dqiD8teVZ0NRRQ2qdkThe8srCqPK5IiiR0KbGH6V3oY4aUzjPRLwutdSJJ+ZzYw==
X-Received: by 10.98.147.66 with SMTP id b63mr39260532pfe.130.1525766292651;
	Tue, 08 May 2018 00:58:12 -0700 (PDT)
Received: from Leggiero.taipei.internal ([175.41.48.77])
	by smtp.gmail.com with ESMTPSA id
	n10sm52657544pfj.68.2018.05.08.00.58.11
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 08 May 2018 00:58:11 -0700 (PDT)
From: Po-Hsu Lin <po-hsu.lin@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [CVE-2017-0627][Trusty][SRU][PATCH 1/1] media: uvcvideo: Prevent
	heap overflow when accessing mapped controls
Date: Tue,  8 May 2018 15:57:47 +0800
Message-Id: <20180508075747.13319-2-po-hsu.lin@canonical.com>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20180508075747.13319-1-po-hsu.lin@canonical.com>
References: <20180508075747.13319-1-po-hsu.lin@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Guenter Roeck <linux@roeck-us.net>

CVE-2017-0627

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

Originally-from: Richard Simmons <rssimmo@amazon.com>

Cc: stable@vger.kernel.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
(cherry picked from commit 7e09f7d5c790278ab98e5f2c22307ebe8ad6e8ba)
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Andy Whitcroft <apw@canonical.com>
---
 drivers/media/usb/uvc/uvc_ctrl.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
index 0eb82106..f1c1467 100644
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -1949,6 +1949,13 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain,
 		goto done;
 	}
 
+	/* Validate the user-provided bit-size and offset */
+	if (mapping->size > 32 ||
+	    mapping->offset + mapping->size > ctrl->info.size * 8) {
+		ret = -EINVAL;
+		goto done;
+	}
+
 	list_for_each_entry(map, &ctrl->info.mappings, list) {
 		if (mapping->id == map->id) {
 			uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', "