[PATCH] Prevent heap overflow in uvc driver
Robb Glasser [Sun, 16 Apr 2017 17:55:58 +0000 (22:55 +0530)]
The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

Bug 1899974

Bug: 33300353
Change-Id: If29c1b396633b6137966a12e38f6fd1841b045bd
Signed-off-by: Robb Glasser <rglasser@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463514
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bhanu Murthy V <bmurthyv@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

drivers/media/usb/uvc/uvc_ctrl.c

index a2f4501..f61d1d7 100644 (file)
@@ -1939,6 +1939,9 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain,
        if (!found)
                return -ENOENT;
 
+       if (ctrl->info.size < mapping->size)
+               return -EINVAL;
+
        if (mutex_lock_interruptible(&chain->ctrl_mutex))
                return -ERESTARTSYS;