From patchwork Tue Jun 17 21:42:19 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kamal Mostafa X-Patchwork-Id: 360966 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 2D281140084; Wed, 18 Jun 2014 07:51:43 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1Wx1I3-0003m0-S0; Tue, 17 Jun 2014 21:51:39 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1Wx194-0007g8-20 for kernel-team@lists.ubuntu.com; Tue, 17 Jun 2014 21:42:22 +0000 Received: from c-67-160-228-185.hsd1.ca.comcast.net ([67.160.228.185] helo=fourier) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1Wx193-0008Mj-AJ; Tue, 17 Jun 2014 21:42:21 +0000 Received: from kamal by fourier with local (Exim 4.82) (envelope-from ) id 1Wx191-0002Ot-F2; Tue, 17 Jun 2014 14:42:19 -0700 From: Kamal Mostafa To: Guennadi Liakhovetski Subject: [3.13.y.z extended stable] Patch "[media] V4L2: ov7670: fix a wrong index, potentially Oopsing the kernel from user-space" has been added to staging queue Date: Tue, 17 Jun 2014 14:42:19 -0700 Message-Id: <1403041339-9196-1-git-send-email-kamal@canonical.com> X-Mailer: git-send-email 1.9.1 X-Extended-Stable: 3.13 Cc: Kamal Mostafa , Mauro Carvalho Chehab , kernel-team@lists.ubuntu.com, Jonathan Corbet X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com This is a note to let you know that I have just added a patch titled [media] V4L2: ov7670: fix a wrong index, potentially Oopsing the kernel from user-space to the linux-3.13.y-queue branch of the 3.13.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue This patch is scheduled to be released in version 3.13.11.4. If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.13.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Kamal ------ From 743a82856f0d38fc4540dd8a77388824bb32d1d3 Mon Sep 17 00:00:00 2001 From: Guennadi Liakhovetski Date: Mon, 14 Apr 2014 10:49:34 -0300 Subject: [media] V4L2: ov7670: fix a wrong index, potentially Oopsing the kernel from user-space commit cfece5857ca51d1dcdb157017aba226f594e9dcf upstream. Commit 75e2bdad8901a0b599e01a96229be922eef1e488 "ov7670: allow configuration of image size, clock speed, and I/O method" uses a wrong index to iterate an array. Apart from being wrong, it also uses an unchecked value from user-space, which can cause access to unmapped memory in the kernel, triggered by a normal desktop user with rights to use V4L2 devices. Signed-off-by: Guennadi Liakhovetski Acked-by: Jonathan Corbet Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Kamal Mostafa --- drivers/media/i2c/ov7670.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 1.9.1 diff --git a/drivers/media/i2c/ov7670.c b/drivers/media/i2c/ov7670.c index e8a1ce2..cdd7c1b 100644 --- a/drivers/media/i2c/ov7670.c +++ b/drivers/media/i2c/ov7670.c @@ -1109,7 +1109,7 @@ static int ov7670_enum_framesizes(struct v4l2_subdev *sd, * windows that fall outside that. */ for (i = 0; i < n_win_sizes; i++) { - struct ov7670_win_size *win = &info->devtype->win_sizes[index]; + struct ov7670_win_size *win = &info->devtype->win_sizes[i]; if (info->min_width && win->width < info->min_width) continue; if (info->min_height && win->height < info->min_height)