| From cebbert@redhat.com Thu Oct 16 16:06:43 2008 |
| From: Ralph Loader <suckfish@ihug.co.nz> |
| Date: Mon, 13 Oct 2008 19:35:38 -0400 |
| Subject: V4L/DVB (9053): fix buffer overflow in uvc-video |
| To: stable@kernel.org |
| Cc: Mauro Carvalho Chehab <mchehab@infradead.org> |
| Message-ID: <20081013193538.155c96fc@redhat.com> |
| |
| From: Ralph Loader <suckfish@ihug.co.nz> |
| |
| Commit fe6c700ff34e68e1eb7991e9c5d18986d0005ac1 upstream |
| |
| V4L/DVB (9053): fix buffer overflow in uvc-video |
| |
| There is a buffer overflow in drivers/media/video/uvc/uvc_ctrl.c: |
| |
| INFO: 0xf2c5ce08-0xf2c5ce0b. First byte 0xa1 instead of 0xcc |
| INFO: Allocated in uvc_query_v4l2_ctrl+0x3c/0x239 [uvcvideo] age=13 cpu=1 pid=4975 |
| ... |
| |
| A fixed size 8-byte buffer is allocated, and a variable size field is read |
| into it; there is no particular bound on the size of the field (it is |
| dependent on hardware and configuration) and it can overflow [also |
| verified by inserting printk's.] |
| |
| The patch attempts to size the buffer to the correctly. |
| |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Acked-by: Laurent Pinchart <laurent.pinchart@skynet.be> |
| Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> |
| Cc: Chuck Ebbert <cebbert@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/media/video/uvc/uvc_ctrl.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/media/video/uvc/uvc_ctrl.c |
| +++ b/drivers/media/video/uvc/uvc_ctrl.c |
| @@ -592,7 +592,7 @@ int uvc_query_v4l2_ctrl(struct uvc_video |
| if (ctrl == NULL) |
| return -EINVAL; |
| |
| - data = kmalloc(8, GFP_KERNEL); |
| + data = kmalloc(ctrl->info->size, GFP_KERNEL); |
| if (data == NULL) |
| return -ENOMEM; |
| |