lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250610213058.GG24465@pendragon.ideasonboard.com>
Date: Wed, 11 Jun 2025 00:30:58 +0300
From: Laurent Pinchart <laurent.pinchart@...asonboard.com>
To: Ricardo Ribalda <ribalda@...omium.org>
Cc: Youngjun Lee <yjjuny.lee@...sung.com>, hdegoede@...hat.com,
	mchehab@...nel.org, linux-media@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] usb: uvc: Fix 1-byte out-of-bounds read in
 uvc_parse_format()

On Tue, Jun 10, 2025 at 02:58:25PM +0200, Ricardo Ribalda wrote:
> Hi Youngjun
> 
> You still miss the v2 (v3 in this case). and the trailers.
> 
> In the future you can use the b4 tool to take care of most of the details.
> https://b4.docs.kernel.org/en/latest/contributor/overview.html
> It has "dry-run" option that let you review the mails before you send
> them to the mailing list
> 
> Please do not resubmit a new patch to fix this, only send a new patch
> to fix more comments for other people.
> 
> Regards!
> 
> On Tue, 10 Jun 2025 at 14:41, Youngjun Lee <yjjuny.lee@...sung.com> wrote:
> >
> > The buffer length check before calling uvc_parse_format() only ensured
> > that the buffer has at least 3 bytes (buflen > 2), buf the function
> > accesses buffer[3], requiring at least 4 bytes.
> >
> > This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.
> >
> > Fix it by checking that the buffer has at least 4 bytes in
> > uvc_parse_format().
>
> Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
> Cc: stable@...r.kernel.org
> Reviewed-by: Ricardo Ribalda <ribalda@...omium.org>

Reviewed-by: Laurent Pinchart <laurent.pinchart@...asonboard.com>

> > Signed-off-by: Youngjun Lee <yjjuny.lee@...sung.com>
> > ---
> >  drivers/media/usb/uvc/uvc_driver.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
> > index da24a655ab68..1100469a83a2 100644
> > --- a/drivers/media/usb/uvc/uvc_driver.c
> > +++ b/drivers/media/usb/uvc/uvc_driver.c
> > @@ -344,6 +344,9 @@ static int uvc_parse_format(struct uvc_device *dev,
> >         u8 ftype;
> >         int ret;
> >
> > +       if (buflen < 4)
> > +               return -EINVAL;
> > +
> >         format->type = buffer[2];
> >         format->index = buffer[3];
> >         format->frames = frames;

-- 
Regards,

Laurent Pinchart

Powered by blists - more mailing lists