rpms/kernel/F-8 linux-2.6-uvcvideo-dont-use-stack-based-buffers.patch, NONE, 1.1 linux-2.6-uvcvideo-fix-another-buffer-overflow.patch, NONE, 1.1 linux-2.6-uvcvideo-return-sensible-min-max-values.patch, NONE, 1.1 kernel.spec, 1.548, 1.549
Chuck Ebbert
cebbert at fedoraproject.org
Fri Oct 10 09:07:26 UTC 2008
- Previous message: rpms/kernel/F-9 linux-2.6-uvcvideo-dont-use-stack-based-buffers.patch, NONE, 1.1 linux-2.6-uvcvideo-fix-another-buffer-overflow.patch, NONE, 1.1 linux-2.6-uvcvideo-return-sensible-min-max-values.patch, NONE, 1.1 kernel.spec, 1.789, 1.790
- Next message: rpms/bluez-gnome/devel 0001-Fix-PS3-BD-remote-pairing.patch, NONE, 1.1 bluez-gnome.spec, 1.64, 1.65
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6535
Modified Files:
kernel.spec
Added Files:
linux-2.6-uvcvideo-dont-use-stack-based-buffers.patch
linux-2.6-uvcvideo-fix-another-buffer-overflow.patch
linux-2.6-uvcvideo-return-sensible-min-max-values.patch
Log Message:
Fix buffer overflow in uvcvideo driver.
linux-2.6-uvcvideo-dont-use-stack-based-buffers.patch:
--- NEW FILE linux-2.6-uvcvideo-dont-use-stack-based-buffers.patch ---
From: Laurent Pinchart <laurent.pinchart at skynet.be>
Date: Thu, 31 Jul 2008 20:11:12 +0000 (-0300)
Subject: V4L/DVB (8617): uvcvideo: don't use stack-based buffers for USB transfers.
X-Git-Tag: v2.6.27-rc3~79^2
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=04793dd041bbb88a39b768b714c725de2c339b51
V4L/DVB (8617): uvcvideo: don't use stack-based buffers for USB transfers.
Data buffers on the stack are not allowed for USB I/O. Use dynamically
allocated buffers instead.
Signed-off-by: Bruce Schmid <duck at freescale.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart at skynet.be>
Signed-off-by: Mauro Carvalho Chehab <mchehab at infradead.org>
---
diff --git a/drivers/media/video/uvc/uvc_ctrl.c b/drivers/media/video/uvc/uvc_ctrl.c
index 626f4ad..6ef3e52 100644
--- a/drivers/media/video/uvc/uvc_ctrl.c
+++ b/drivers/media/video/uvc/uvc_ctrl.c
@@ -585,13 +585,17 @@ int uvc_query_v4l2_ctrl(struct uvc_video_device *video,
struct uvc_control_mapping *mapping;
struct uvc_menu_info *menu;
unsigned int i;
- __u8 data[8];
+ __u8 *data;
int ret;
ctrl = uvc_find_control(video, v4l2_ctrl->id, &mapping);
if (ctrl == NULL)
return -EINVAL;
+ data = kmalloc(8, GFP_KERNEL);
+ if (data == NULL)
+ return -ENOMEM;
+
memset(v4l2_ctrl, 0, sizeof *v4l2_ctrl);
v4l2_ctrl->id = mapping->id;
v4l2_ctrl->type = mapping->v4l2_type;
@@ -604,8 +608,8 @@ int uvc_query_v4l2_ctrl(struct uvc_video_device *video,
if (ctrl->info->flags & UVC_CONTROL_GET_DEF) {
if ((ret = uvc_query_ctrl(video->dev, GET_DEF, ctrl->entity->id,
video->dev->intfnum, ctrl->info->selector,
- &data, ctrl->info->size)) < 0)
- return ret;
+ data, ctrl->info->size)) < 0)
+ goto out;
v4l2_ctrl->default_value = uvc_get_le_value(data, mapping);
}
@@ -623,13 +627,15 @@ int uvc_query_v4l2_ctrl(struct uvc_video_device *video,
}
}
- return 0;
+ ret = 0;
+ goto out;
case V4L2_CTRL_TYPE_BOOLEAN:
v4l2_ctrl->minimum = 0;
v4l2_ctrl->maximum = 1;
v4l2_ctrl->step = 1;
- return 0;
+ ret = 0;
+ goto out;
default:
break;
@@ -638,26 +644,29 @@ int uvc_query_v4l2_ctrl(struct uvc_video_device *video,
if (ctrl->info->flags & UVC_CONTROL_GET_MIN) {
if ((ret = uvc_query_ctrl(video->dev, GET_MIN, ctrl->entity->id,
video->dev->intfnum, ctrl->info->selector,
- &data, ctrl->info->size)) < 0)
- return ret;
+ data, ctrl->info->size)) < 0)
+ goto out;
v4l2_ctrl->minimum = uvc_get_le_value(data, mapping);
}
if (ctrl->info->flags & UVC_CONTROL_GET_MAX) {
if ((ret = uvc_query_ctrl(video->dev, GET_MAX, ctrl->entity->id,
video->dev->intfnum, ctrl->info->selector,
- &data, ctrl->info->size)) < 0)
- return ret;
+ data, ctrl->info->size)) < 0)
+ goto out;
v4l2_ctrl->maximum = uvc_get_le_value(data, mapping);
}
if (ctrl->info->flags & UVC_CONTROL_GET_RES) {
if ((ret = uvc_query_ctrl(video->dev, GET_RES, ctrl->entity->id,
video->dev->intfnum, ctrl->info->selector,
- &data, ctrl->info->size)) < 0)
- return ret;
+ data, ctrl->info->size)) < 0)
+ goto out;
v4l2_ctrl->step = uvc_get_le_value(data, mapping);
}
- return 0;
+ ret = 0;
+out:
+ kfree(data);
+ return ret;
}
diff --git a/drivers/media/video/uvc/uvc_video.c b/drivers/media/video/uvc/uvc_video.c
index ad63794..6854ac7 100644
--- a/drivers/media/video/uvc/uvc_video.c
+++ b/drivers/media/video/uvc/uvc_video.c
@@ -90,17 +90,20 @@ static void uvc_fixup_buffer_size(struct uvc_video_device *video,
static int uvc_get_video_ctrl(struct uvc_video_device *video,
struct uvc_streaming_control *ctrl, int probe, __u8 query)
{
- __u8 data[34];
- __u8 size;
+ __u8 *data;
+ __u16 size;
int ret;
size = video->dev->uvc_version >= 0x0110 ? 34 : 26;
+ data = kmalloc(size, GFP_KERNEL);
+ if (data == NULL)
+ return -ENOMEM;
+
ret = __uvc_query_ctrl(video->dev, query, 0, video->streaming->intfnum,
- probe ? VS_PROBE_CONTROL : VS_COMMIT_CONTROL, &data, size,
+ probe ? VS_PROBE_CONTROL : VS_COMMIT_CONTROL, data, size,
UVC_CTRL_STREAMING_TIMEOUT);
-
if (ret < 0)
- return ret;
+ goto out;
ctrl->bmHint = le16_to_cpup((__le16 *)&data[0]);
ctrl->bFormatIndex = data[2];
@@ -136,17 +139,22 @@ static int uvc_get_video_ctrl(struct uvc_video_device *video,
*/
uvc_fixup_buffer_size(video, ctrl);
- return 0;
+out:
+ kfree(data);
+ return ret;
}
int uvc_set_video_ctrl(struct uvc_video_device *video,
struct uvc_streaming_control *ctrl, int probe)
{
- __u8 data[34];
- __u8 size;
+ __u8 *data;
+ __u16 size;
+ int ret;
size = video->dev->uvc_version >= 0x0110 ? 34 : 26;
- memset(data, 0, sizeof data);
+ data = kzalloc(size, GFP_KERNEL);
+ if (data == NULL)
+ return -ENOMEM;
*(__le16 *)&data[0] = cpu_to_le16(ctrl->bmHint);
data[2] = ctrl->bFormatIndex;
@@ -174,10 +182,13 @@ int uvc_set_video_ctrl(struct uvc_video_device *video,
data[33] = ctrl->bMaxVersion;
}
- return __uvc_query_ctrl(video->dev, SET_CUR, 0,
+ ret = __uvc_query_ctrl(video->dev, SET_CUR, 0,
video->streaming->intfnum,
- probe ? VS_PROBE_CONTROL : VS_COMMIT_CONTROL, &data, size,
+ probe ? VS_PROBE_CONTROL : VS_COMMIT_CONTROL, data, size,
UVC_CTRL_STREAMING_TIMEOUT);
+
+ kfree(data);
+ return ret;
}
int uvc_probe_video(struct uvc_video_device *video,
linux-2.6-uvcvideo-fix-another-buffer-overflow.patch:
--- NEW FILE linux-2.6-uvcvideo-fix-another-buffer-overflow.patch ---
Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fe6c700ff34e68e1eb7991e9c5d18986d0005ac1
Commit: fe6c700ff34e68e1eb7991e9c5d18986d0005ac1
Parent: bda1cda54b7e1654e9416fec76e6342847b25216
Author: Ralph Loader <suckfish at ihug.co.nz>
AuthorDate: Mon Sep 22 21:06:48 2008 -0300
Committer: Mauro Carvalho Chehab <mchehab at redhat.com>
CommitDate: Sat Oct 4 23:04:32 2008 -0300
V4L/DVB (9053): fix buffer overflow in uvc-video
There is a buffer overflow in drivers/media/video/uvc/uvc_ctrl.c:
INFO: 0xf2c5ce08-0xf2c5ce0b. First byte 0xa1 instead of 0xcc
INFO: Allocated in uvc_query_v4l2_ctrl+0x3c/0x239 [uvcvideo] age=13 cpu=1 pid=4975
...
A fixed size 8-byte buffer is allocated, and a variable size field is read
into it; there is no particular bound on the size of the field (it is
dependent on hardware and configuration) and it can overflow [also
verified by inserting printk's.]
The patch attempts to size the buffer to the correctly.
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Acked-by: Laurent Pinchart <laurent.pinchart at skynet.be>
Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
---
drivers/media/video/uvc/uvc_ctrl.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/media/video/uvc/uvc_ctrl.c b/drivers/media/video/uvc/uvc_ctrl.c
index 6ef3e52..feab12a 100644
--- a/drivers/media/video/uvc/uvc_ctrl.c
+++ b/drivers/media/video/uvc/uvc_ctrl.c
@@ -592,7 +592,7 @@ int uvc_query_v4l2_ctrl(struct uvc_video_device *video,
if (ctrl == NULL)
return -EINVAL;
- data = kmalloc(8, GFP_KERNEL);
+ data = kmalloc(ctrl->info->size, GFP_KERNEL);
if (data == NULL)
return -ENOMEM;
linux-2.6-uvcvideo-return-sensible-min-max-values.patch:
--- NEW FILE linux-2.6-uvcvideo-return-sensible-min-max-values.patch ---
From: Laurent Pinchart <laurent.pinchart at skynet.be>
Date: Thu, 17 Jul 2008 10:37:37 +0000 (-0300)
Subject: V4L/DVB (8498): uvcvideo: Return sensible min and max values when querying a boolean ...
X-Git-Tag: v2.6.27-rc1~31^2~42
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=54812c77bc830e2dbcb62b4c6d8a9c7f97cfdd1b
V4L/DVB (8498): uvcvideo: Return sensible min and max values when querying a boolean control.
Although the V4L2 spec states that the minimum and maximum fields may not be
valid for control types other than V4L2_CTRL_TYPE_INTEGER, it makes sense
to set the bounds to 0 and 1 for boolean controls instead of returning
uninitialized values.
Signed-off-by: Laurent Pinchart <laurent.pinchart at skynet.be>
Signed-off-by: Mauro Carvalho Chehab <mchehab at infradead.org>
---
diff --git a/drivers/media/video/uvc/uvc_ctrl.c b/drivers/media/video/uvc/uvc_ctrl.c
index f54d06a..626f4ad 100644
--- a/drivers/media/video/uvc/uvc_ctrl.c
+++ b/drivers/media/video/uvc/uvc_ctrl.c
@@ -592,6 +592,7 @@ int uvc_query_v4l2_ctrl(struct uvc_video_device *video,
if (ctrl == NULL)
return -EINVAL;
+ memset(v4l2_ctrl, 0, sizeof *v4l2_ctrl);
v4l2_ctrl->id = mapping->id;
v4l2_ctrl->type = mapping->v4l2_type;
strncpy(v4l2_ctrl->name, mapping->name, sizeof v4l2_ctrl->name);
@@ -608,7 +609,8 @@ int uvc_query_v4l2_ctrl(struct uvc_video_device *video,
v4l2_ctrl->default_value = uvc_get_le_value(data, mapping);
}
- if (mapping->v4l2_type == V4L2_CTRL_TYPE_MENU) {
+ switch (mapping->v4l2_type) {
+ case V4L2_CTRL_TYPE_MENU:
v4l2_ctrl->minimum = 0;
v4l2_ctrl->maximum = mapping->menu_count - 1;
v4l2_ctrl->step = 1;
@@ -622,6 +624,15 @@ int uvc_query_v4l2_ctrl(struct uvc_video_device *video,
}
return 0;
+
+ case V4L2_CTRL_TYPE_BOOLEAN:
+ v4l2_ctrl->minimum = 0;
+ v4l2_ctrl->maximum = 1;
+ v4l2_ctrl->step = 1;
+ return 0;
+
+ default:
+ break;
}
if (ctrl->info->flags & UVC_CONTROL_GET_MIN) {
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-8/kernel.spec,v
retrieving revision 1.548
retrieving revision 1.549
diff -u -r1.548 -r1.549
--- kernel.spec 10 Oct 2008 08:42:25 -0000 1.548
+++ kernel.spec 10 Oct 2008 09:06:55 -0000 1.549
@@ -682,6 +682,10 @@
Patch1101: linux-2.6-default-mmf_dump_elf_headers.patch
Patch1308: linux-2.6-usb-ehci-hcd-respect-nousb.patch
+# uvc video buffer overflow
+Patch1310: linux-2.6-uvcvideo-return-sensible-min-max-values.patch
+Patch1311: linux-2.6-uvcvideo-dont-use-stack-based-buffers.patch
+Patch1312: linux-2.6-uvcvideo-fix-another-buffer-overflow.patch
Patch1400: linux-2.6-smarter-relatime.patch
@@ -1237,6 +1241,10 @@
# USB
# respect the 'nousb' boot option
ApplyPatch linux-2.6-usb-ehci-hcd-respect-nousb.patch
+# uvcvideo buffer overflow
+ApplyPatch linux-2.6-uvcvideo-return-sensible-min-max-values.patch
+ApplyPatch linux-2.6-uvcvideo-dont-use-stack-based-buffers.patch
+ApplyPatch linux-2.6-uvcvideo-fix-another-buffer-overflow.patch
# ISDN
@@ -1854,6 +1862,9 @@
%changelog
+* Fri Oct 10 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.26.6-39
+- Fix buffer overflow in uvcvideo driver.
+
* Fri Oct 10 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.26.6-38
- Fix possible oops in get_wchan()
- Previous message: rpms/kernel/F-9 linux-2.6-uvcvideo-dont-use-stack-based-buffers.patch, NONE, 1.1 linux-2.6-uvcvideo-fix-another-buffer-overflow.patch, NONE, 1.1 linux-2.6-uvcvideo-return-sensible-min-max-values.patch, NONE, 1.1 kernel.spec, 1.789, 1.790
- Next message: rpms/bluez-gnome/devel 0001-Fix-PS3-BD-remote-pairing.patch, NONE, 1.1 bluez-gnome.spec, 1.64, 1.65
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list