lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ffd6b9a1da2de45b6dc7298958a7d71bc5a22358.camel@collabora.com>
Date:   Tue, 05 Jun 2018 10:07:38 -0400
From:   Nicolas Dufresne <nicolas.dufresne@...labora.com>
To:     Laurent Pinchart <laurent.pinchart@...asonboard.com>
Cc:     Mauro Carvalho Chehab <mchehab@...nel.org>,
        linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] uvcvideo: Also validate buffers in BULK mode

Le mardi 05 juin 2018 à 11:52 +0300, Laurent Pinchart a écrit :
> Hi Nicolas,
> 
> Thank you for the patch.
> 
> On Tuesday, 5 June 2018 03:24:15 EEST Nicolas Dufresne wrote:
> > Just like for ISOC, validate the decoded BULK buffer size when possible.
> > This avoids sending corrupted or partial buffers to userspace, which may
> > lead to application crash or run-time failure.
> > 
> > Signed-off-by: Nicolas Dufresne <nicolas.dufresne@...labora.com>
> > ---
> >  drivers/media/usb/uvc/uvc_video.c | 8 ++++++--
> >  1 file changed, 6 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/media/usb/uvc/uvc_video.c
> > b/drivers/media/usb/uvc/uvc_video.c index aa0082fe5833..46df4d01e31b 100644
> > --- a/drivers/media/usb/uvc/uvc_video.c
> > +++ b/drivers/media/usb/uvc/uvc_video.c
> > @@ -1307,8 +1307,10 @@ static void uvc_video_decode_bulk(struct urb *urb,
> > struct uvc_streaming *stream, if (stream->bulk.header_size == 0 &&
> > !stream->bulk.skip_payload) { do {
> >  			ret = uvc_video_decode_start(stream, buf, mem, len);
> > -			if (ret == -EAGAIN)
> > +			if (ret == -EAGAIN) {
> > +				uvc_video_validate_buffer(stream, buf);
> >  				uvc_video_next_buffers(stream, &buf, &meta_buf);
> 
> Wouldn't it be simpler to move the uvc_video_validate_buffer() call to 
> uvc_video_next_buffers() ?

Sounds like a good idea, it will prevent forgetting about it if this
code get extended.

> 
> > +			}
> >  		} while (ret == -EAGAIN);
> > 
> >  		/* If an error occurred skip the rest of the payload. */
> > @@ -1342,8 +1344,10 @@ static void uvc_video_decode_bulk(struct urb *urb,
> > struct uvc_streaming *stream, if (!stream->bulk.skip_payload && buf !=
> > NULL) {
> >  			uvc_video_decode_end(stream, buf, stream->bulk.header,
> >  				stream->bulk.payload_size);
> > -			if (buf->state == UVC_BUF_STATE_READY)
> > +			if (buf->state == UVC_BUF_STATE_READY) {
> > +				uvc_video_validate_buffer(stream, buf);
> >  				uvc_video_next_buffers(stream, &buf, &meta_buf);
> > +			}
> >  		}
> > 
> >  		stream->bulk.header_size = 0;
> 
> 
Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ