| Message ID | 20180508075747.13319-2-po-hsu.lin@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | Fix for CVE-2017-0627 | expand |
On 05/08/18 09:57, Po-Hsu Lin wrote: > From: Guenter Roeck <linux@roeck-us.net> > > CVE-2017-0627 > > The size of uvc_control_mapping is user controlled leading to a > potential heap overflow in the uvc driver. This adds a check to verify > the user provided size fits within the bounds of the defined buffer > size. > > Originally-from: Richard Simmons <rssimmo@amazon.com> > > Cc: stable@vger.kernel.org > Signed-off-by: Guenter Roeck <linux@roeck-us.net> > Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> > Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> > (cherry picked from commit 7e09f7d5c790278ab98e5f2c22307ebe8ad6e8ba) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > drivers/media/usb/uvc/uvc_ctrl.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c > index 0eb82106..f1c1467 100644 > --- a/drivers/media/usb/uvc/uvc_ctrl.c > +++ b/drivers/media/usb/uvc/uvc_ctrl.c > @@ -1949,6 +1949,13 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain, > goto done; > } > > + /* Validate the user-provided bit-size and offset */ > + if (mapping->size > 32 || > + mapping->offset + mapping->size > ctrl->info.size * 8) { > + ret = -EINVAL; > + goto done; > + } > + > list_for_each_entry(map, &ctrl->info.mappings, list) { > if (mapping->id == map->id) { > uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', " >
On Tue, May 08, 2018 at 03:57:47PM +0800, Po-Hsu Lin wrote: > From: Guenter Roeck <linux@roeck-us.net> > > CVE-2017-0627 > > The size of uvc_control_mapping is user controlled leading to a > potential heap overflow in the uvc driver. This adds a check to verify > the user provided size fits within the bounds of the defined buffer > size. > > Originally-from: Richard Simmons <rssimmo@amazon.com> > > Cc: stable@vger.kernel.org > Signed-off-by: Guenter Roeck <linux@roeck-us.net> > Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> > Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> > (cherry picked from commit 7e09f7d5c790278ab98e5f2c22307ebe8ad6e8ba) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> > --- > drivers/media/usb/uvc/uvc_ctrl.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c > index 0eb82106..f1c1467 100644 > --- a/drivers/media/usb/uvc/uvc_ctrl.c > +++ b/drivers/media/usb/uvc/uvc_ctrl.c > @@ -1949,6 +1949,13 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain, > goto done; > } > > + /* Validate the user-provided bit-size and offset */ > + if (mapping->size > 32 || > + mapping->offset + mapping->size > ctrl->info.size * 8) { > + ret = -EINVAL; > + goto done; > + } > + > list_for_each_entry(map, &ctrl->info.mappings, list) { > if (mapping->id == map->id) { > uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', " > -- > 2.7.4 Clean cherry-pick, looks to do what is claimed. Acked-by: Andy Whitcroft <apw@canonical.com> -apw
diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c index 0eb82106..f1c1467 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -1949,6 +1949,13 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain, goto done; } + /* Validate the user-provided bit-size and offset */ + if (mapping->size > 32 || + mapping->offset + mapping->size > ctrl->info.size * 8) { + ret = -EINVAL; + goto done; + } + list_for_each_entry(map, &ctrl->info.mappings, list) { if (mapping->id == map->id) { uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', "