releases/3.2.2/v4l-dvb-v4l2-ioctl-integer-overflow-in-video_usercopy.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 6c06108be53ca5e94d8b0e93883d534dd9079646 Mon Sep 17 00:00:00 2001
 From: Dan Carpenter <dan.carpenter@oracle.com>
 Date: Thu, 5 Jan 2012 02:27:57 -0300
 Subject: [media] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()

 From: Dan Carpenter <dan.carpenter@oracle.com>

 commit 6c06108be53ca5e94d8b0e93883d534dd9079646 upstream.

 If ctrls->count is too high the multiplication could overflow and
 array_size would be lower than expected.  Mauro and Hans Verkuil
 suggested that we cap it at 1024.  That comes from the maximum
 number of controls with lots of room for expantion.

 $ grep V4L2_CID include/linux/videodev2.h | wc -l
 211

 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
 Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  drivers/media/video/v4l2-ioctl.c |    4 ++++
  include/linux/videodev2.h        |    1 +
  2 files changed, 5 insertions(+)

 --- a/drivers/media/video/v4l2-ioctl.c
 +++ b/drivers/media/video/v4l2-ioctl.c
 @@ -2226,6 +2226,10 @@ static int check_array_args(unsigned int
  		struct v4l2_ext_controls *ctrls = parg;

  		if (ctrls->count != 0) {
 +			if (ctrls->count > V4L2_CID_MAX_CTRLS) {
 +				ret = -EINVAL;
 +				break;
 +			}
  			*user_ptr = (void __user *)ctrls->controls;
  			*kernel_ptr = (void *)&ctrls->controls;
  			*array_size = sizeof(struct v4l2_ext_control)
 --- a/include/linux/videodev2.h
 +++ b/include/linux/videodev2.h
 @@ -1131,6 +1131,7 @@ struct v4l2_querymenu {
  #define V4L2_CTRL_FLAG_NEXT_CTRL	0x80000000

  /*  User-class control IDs defined by V4L2 */
 +#define V4L2_CID_MAX_CTRLS		1024
  #define V4L2_CID_BASE			(V4L2_CTRL_CLASS_USER | 0x900)
  #define V4L2_CID_USER_BASE 		V4L2_CID_BASE
  /*  IDs reserved for driver specific controls */
	From 6c06108be53ca5e94d8b0e93883d534dd9079646 Mon Sep 17 00:00:00 2001
	From: Dan Carpenter <dan.carpenter@oracle.com>
	Date: Thu, 5 Jan 2012 02:27:57 -0300
	Subject: [media] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()

	From: Dan Carpenter <dan.carpenter@oracle.com>

	commit 6c06108be53ca5e94d8b0e93883d534dd9079646 upstream.

	If ctrls->count is too high the multiplication could overflow and
	array_size would be lower than expected. Mauro and Hans Verkuil
	suggested that we cap it at 1024. That comes from the maximum
	number of controls with lots of room for expantion.

	$ grep V4L2_CID include/linux/videodev2.h \| wc -l
	211

	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	drivers/media/video/v4l2-ioctl.c \| 4 ++++
	include/linux/videodev2.h \| 1 +
	2 files changed, 5 insertions(+)

	--- a/drivers/media/video/v4l2-ioctl.c
	+++ b/drivers/media/video/v4l2-ioctl.c
	@@ -2226,6 +2226,10 @@ static int check_array_args(unsigned int
	struct v4l2_ext_controls *ctrls = parg;

	if (ctrls->count != 0) {
	+ if (ctrls->count > V4L2_CID_MAX_CTRLS) {
	+ ret = -EINVAL;
	+ break;
	+ }
	user_ptr = (void __user )ctrls->controls;
	kernel_ptr = (void )&ctrls->controls;
	*array_size = sizeof(struct v4l2_ext_control)
	--- a/include/linux/videodev2.h
	+++ b/include/linux/videodev2.h
	@@ -1131,6 +1131,7 @@ struct v4l2_querymenu {
	#define V4L2_CTRL_FLAG_NEXT_CTRL 0x80000000

	/* User-class control IDs defined by V4L2 */
	+#define V4L2_CID_MAX_CTRLS 1024
	#define V4L2_CID_BASE (V4L2_CTRL_CLASS_USER \| 0x900)
	#define V4L2_CID_USER_BASE V4L2_CID_BASE
	/* IDs reserved for driver specific controls */