github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-09 07:03:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
53dcaeeff1
linux/drivers/media/usb
History
Alistair Strachan ac8befb6dd media: uvcvideo: Fix 'type' check leading to overflow 
commit 47bb117911 upstream.

When initially testing the Camera Terminal Descriptor wTerminalType
field (buffer[4]), no mask is used. Later in the function, the MSB is
overloaded to store the descriptor subtype, and so a mask of 0x7fff
is used to check the type.

If a descriptor is specially crafted to set this overloaded bit in the
original wTerminalType field, the initial type check will fail (falling
through, without adjusting the buffer size), but the later type checks
will pass, assuming the buffer has been made suitably large, causing an
overflow.

Avoid this problem by checking for the MSB in the wTerminalType field.
If the bit is set, assume the descriptor is bad, and abort parsing it.

Originally reported here:
https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
A similar (non-compiling) patch was provided at that time.

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Alistair Strachan <astrachan@google.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-13 14:02:26 -07:00
..
airspy
as102 media: fix usage of whitespaces and on indentation 2018-01-04 13:12:01 -05:00
au0828 media: au0828: fix spelling mistake: "completition" -> "completion" 2018-08-03 16:09:58 -04:00
b2c2 media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
cpia2 treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
cx231xx media: cx231xx: fix spelling mistake: "completition" -> "completion" 2018-08-03 16:09:41 -04:00
dvb-usb media: dvb-usb: fix spelling mistake: "completition" -> "completion" 2018-08-03 16:08:55 -04:00
dvb-usb-v2 media: dvb-usb-v2: Fix incorrect use of transfer_flags URB_FREE_BUFFER 2019-01-09 17:38:40 +01:00
em28xx media: em28xx: fix handler for vidioc_s_input() 2018-11-13 11:08:53 -08:00
go7007 media: go7007: use irqsave() in USB's complete callback 2018-08-02 13:50:14 -04:00
gspca media: gspca: fix frame overflow error 2018-12-13 09:16:17 +01:00
hackrf media: usb: hackrf: Replace GFP_ATOMIC with GFP_KERNEL 2018-08-02 19:16:17 -04:00
hdpvr media: hdpvr: don't check number of messages in the driver 2018-07-27 06:39:57 -04:00
msi2500 media: usb: fix spelling mistake: "synchronuously" -> "synchronously" 2017-11-07 03:47:09 -05:00
pulse8-cec media: pulse8-cec: print time using time64_t 2017-12-08 11:08:22 -05:00
pvrusb2 treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
pwc media: replace all <spaces><tab> occurrences 2018-01-04 13:15:05 -05:00
rainshadow-cec
s2255 media: s2255drv: fix a casting warning 2018-03-23 06:56:55 -04:00
siano media: siano: use GFP_DMA only for smssdio 2018-05-15 08:04:42 -04:00
stk1160 media: stk1160: Set the vb2_queue lock before calling vb2_queue_init 2018-07-04 08:03:43 -04:00
stkwebcam treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
tm6000 media: tm6000: don't check number of messages in the driver 2018-07-27 06:39:57 -04:00
ttusb-budget media updates for v4.16-rc1 2018-02-06 11:27:48 -08:00
ttusb-dec media: dvb: represent min/max/step/tolerance freqs in Hz 2018-08-02 18:10:48 -04:00
usbtv media: usbtv: use irqsave() in USB's complete callback 2018-08-02 14:17:15 -04:00
usbvision treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
uvc media: uvcvideo: Fix 'type' check leading to overflow 2019-03-13 14:02:26 -07:00
zr364xx docs: Fix some broken references 2018-06-15 18:10:01 -03:00
Kconfig
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00