linux-kernel - Re: [PATCH] media: uvcvideo: Fix OOB read

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite for Android: free password hash cracker in your pocket

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <20230720005717.GD57770@google.com>
Date:   Thu, 20 Jul 2023 09:57:17 +0900
From:   Sergey Senozhatsky <senozhatsky@...omium.org>
To:     Ricardo Ribalda <ribalda@...omium.org>
Cc:     Laurent Pinchart <laurent.pinchart@...asonboard.com>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
        stable@...nel.org
Subject: Re: [PATCH] media: uvcvideo: Fix OOB read

On (23/07/19 12:05), Ricardo Ribalda wrote:
> diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
> index 5e9d3da862dd..5e3af66a2223 100644
> --- a/drivers/media/usb/uvc/uvc_ctrl.c
> +++ b/drivers/media/usb/uvc/uvc_ctrl.c
> @@ -1402,6 +1402,9 @@ int uvc_query_v4l2_menu(struct uvc_video_chain *chain,
>  	query_menu->id = id;
>  	query_menu->index = index;
>  
> +	if (index >= UVC_MAX_MENU)
> +		return -EINVAL;

We probably can just do

	if (index >= BITS_PER_TYPE(mapping->menu_mask))
		return -EINVAL;

This should be better than using a hard-coded constant or even
BITS_PER_LONG (which is still a hard-coded constant). Because
BITS_PER_LONG won't get us covered if one day ->menu_mask data
type changes.