lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610213058.GG24465@pendragon.ideasonboard.com> Date: Wed, 11 Jun 2025 00:30:58 +0300 From: Laurent Pinchart <laurent.pinchart@...asonboard.com> To: Ricardo Ribalda <ribalda@...omium.org> Cc: Youngjun Lee <yjjuny.lee@...sung.com>, hdegoede@...hat.com, mchehab@...nel.org, linux-media@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] usb: uvc: Fix 1-byte out-of-bounds read in uvc_parse_format() On Tue, Jun 10, 2025 at 02:58:25PM +0200, Ricardo Ribalda wrote: > Hi Youngjun > > You still miss the v2 (v3 in this case). and the trailers. > > In the future you can use the b4 tool to take care of most of the details. > https://b4.docs.kernel.org/en/latest/contributor/overview.html > It has "dry-run" option that let you review the mails before you send > them to the mailing list > > Please do not resubmit a new patch to fix this, only send a new patch > to fix more comments for other people. > > Regards! > > On Tue, 10 Jun 2025 at 14:41, Youngjun Lee <yjjuny.lee@...sung.com> wrote: > > > > The buffer length check before calling uvc_parse_format() only ensured > > that the buffer has at least 3 bytes (buflen > 2), buf the function > > accesses buffer[3], requiring at least 4 bytes. > > > > This can lead to an out-of-bounds read if the buffer has exactly 3 bytes. > > > > Fix it by checking that the buffer has at least 4 bytes in > > uvc_parse_format(). > > Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") > Cc: stable@...r.kernel.org > Reviewed-by: Ricardo Ribalda <ribalda@...omium.org> Reviewed-by: Laurent Pinchart <laurent.pinchart@...asonboard.com> > > Signed-off-by: Youngjun Lee <yjjuny.lee@...sung.com> > > --- > > drivers/media/usb/uvc/uvc_driver.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c > > index da24a655ab68..1100469a83a2 100644 > > --- a/drivers/media/usb/uvc/uvc_driver.c > > +++ b/drivers/media/usb/uvc/uvc_driver.c > > @@ -344,6 +344,9 @@ static int uvc_parse_format(struct uvc_device *dev, > > u8 ftype; > > int ret; > > > > + if (buflen < 4) > > + return -EINVAL; > > + > > format->type = buffer[2]; > > format->index = buffer[3]; > > format->frames = frames; -- Regards, Laurent Pinchart
Powered by blists - more mailing lists