evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers/media/usb
History
Exact
Alistair Strachan 88950d5914 media: uvcvideo: Fix 'type' check leading to overflow 
commit 47bb117911b051bbc90764a8bff96543cbd2005f upstream.

When initially testing the Camera Terminal Descriptor wTerminalType
field (buffer[4]), no mask is used. Later in the function, the MSB is
overloaded to store the descriptor subtype, and so a mask of 0x7fff
is used to check the type.

If a descriptor is specially crafted to set this overloaded bit in the
original wTerminalType field, the initial type check will fail (falling
through, without adjusting the buffer size), but the later type checks
will pass, assuming the buffer has been made suitably large, causing an
overflow.

Avoid this problem by checking for the MSB in the wTerminalType field.
If the bit is set, assume the descriptor is bad, and abort parsing it.

Originally reported here:
https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
A similar (non-compiling) patch was provided at that time.

Change-Id: Icedffeb8d406351675f5195fdd9000a644d07b95
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Alistair Strachan <astrachan@google.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-08-09 17:59:09 +02:00
..
airspy media: fix airspy usb probe error path 2016-08-10 11:49:29 +02:00
as102 media: Don't do DMA on stack for firmware upload in the AS102 driver 2017-11-30 08:37:24 +00:00
au0828 au0828: Fix dev_state handling 2016-04-20 15:42:09 +09:00
b2c2
cpia2 media: cpia2: Fix a couple off by one bugs 2018-03-22 09:23:29 +01:00
cx231xx media: cx231xx: Add support for AverMedia DVD EZMaker 7 2018-07-03 11:21:33 +02:00
dvb-usb media: cxusb, dib0700: ignore XC2028_I2C_FLUSH 2018-02-16 20:09:45 +01:00
dvb-usb-v2 media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner 2018-02-16 20:09:41 +01:00
em28xx media: em28xx: Fix use-after-free when disconnecting 2019-03-30 07:59:30 +01:00
go7007 go7007: add MEDIA_CAMERA_SUPPORT dependency 2018-02-25 11:03:49 +01:00
gspca gspca: konica: add missing endpoint sanity check 2017-05-25 14:30:14 +02:00
hackrf [media] hackrf: move RF gain ctrl enable behind module parameter 2015-12-18 15:25:29 -02:00
hdpvr hdpvr: hide unused variable 2018-02-25 11:03:49 +01:00
msi2500 [media] media: videobuf2: Change queue_setup argument 2015-10-20 14:48:39 -02:00
pvrusb2 pvrusb2: reduce stack usage pvr2_eeprom_analyze() 2017-06-26 07:13:09 +02:00
pwc pwc: hide unused label 2018-02-25 11:03:45 +01:00
s2255 [media] media: videobuf2: Change queue_setup argument 2015-10-20 14:48:39 -02:00
siano siano: make it work again with CONFIG_VMAP_STACK 2017-02-23 17:43:09 +01:00
stk1160 [media] media: videobuf2: Change queue_setup argument 2015-10-20 14:48:39 -02:00
stkwebcam [media] stk-webcam: Delete an unnecessary check before the function call "vfree" 2015-03-02 14:53:27 -03:00
tm6000 [media] cx25821, cx88, tm6000: use SNDRV_DEFAULT_ENABLE_PNP 2015-10-01 08:42:52 -03:00
ttusb-budget [media] dvb: Get rid of typedev usage for enums 2015-06-09 17:47:35 -03:00
ttusb-dec [media] dvb: get rid of enum dmx_success 2015-10-06 19:53:02 -03:00
usbtv media: usbtv: prevent double free in error case 2018-04-08 11:52:00 +02:00
usbvision usbvision fix overflow of interfaces array 2018-01-17 09:35:27 +01:00
uvc media: uvcvideo: Fix 'type' check leading to overflow 2019-08-09 17:59:09 +02:00
zr364xx zr364xx: enforce minimum size when reading header 2017-05-25 14:30:14 +02:00
Kconfig
Makefile