[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <e1d5059a4e88c44a9fe45a266adf8978735dde32.1458125909.git.jslaby@suse.cz>
Date: Wed, 16 Mar 2016 11:58:52 +0100
From: Jiri Slaby <jslaby@...e.cz>
To: stable@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, Oliver Neukum <oneukum@...e.com>,
Vladis Dronov <vdronov@...hat.com>,
Hans Verkuil <hans.verkuil@...co.com>,
Mauro Carvalho Chehab <mchehab@....samsung.com>,
Jiri Slaby <jslaby@...e.cz>
Subject: [PATCH 3.12 07/58] [media] usbvision fix overflow of interfaces array
From: Oliver Neukum <oneukum@...e.com>
3.12-stable review patch. If anyone has any objections, please let me know.
===============
commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream.
This fixes the crash reported in:
http://seclists.org/bugtraq/2015/Oct/35
The interface number needs a sanity check.
Signed-off-by: Oliver Neukum <oneukum@...e.com>
Cc: Vladis Dronov <vdronov@...hat.com>
Signed-off-by: Hans Verkuil <hans.verkuil@...co.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@....samsung.com>
Signed-off-by: Jiri Slaby <jslaby@...e.cz>
---
drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c
index ea5ec8ed67a7..3cf12da58787 100644
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1538,6 +1538,13 @@ static int usbvision_probe(struct usb_interface *intf,
printk(KERN_INFO "%s: %s found\n", __func__,
usbvision_device_data[model].model_string);
+ /*
+ * this is a security check.
+ * an exploit using an incorrect bInterfaceNumber is known
+ */
+ if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
+ return -ENODEV;
+
if (usbvision_device_data[model].interface >= 0)
interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
else
--
2.7.3
Powered by blists - more mailing lists