| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <01b501dbda70$d47d5ee0$7d781ca0$@samsung.com>
Date: Wed, 11 Jun 2025 10:33:27 +0900
From: <yjjuny.lee@...sung.com>
To: "'Laurent Pinchart'" <laurent.pinchart@...asonboard.com>, "'Ricardo
Ribalda'" <ribalda@...omium.org>
Cc: <hdegoede@...hat.com>, <mchehab@...nel.org>,
<linux-media@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] usb: uvc: Fix 1-byte out-of-bounds read in
uvc_parse_format()
The buffer length check before calling uvc_parse_format() only ensured
that the buffer has at least 3 bytes (buflen > 2), buf the function
accesses buffer[3], requiring at least 4 bytes.
This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.
Fix it by checking that the buffer has at least 4 bytes in
uvc_parse_format().
Signed-off-by: Youngjun Lee <yjjuny.lee@...sung.com>
Reviewed-by: Ricardo Ribalda <ribalda@...omium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@...asonboard.com>
---
drivers/media/usb/uvc/uvc_driver.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
index da24a655ab68..1100469a83a2 100644
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -344,6 +344,9 @@ static int uvc_parse_format(struct uvc_device *dev,
u8 ftype;
int ret;
+ if (buflen < 4)
+ return -EINVAL;
+
format->type = buffer[2];
format->index = buffer[3];
format->frames = frames;
--
2.43.0
> On Tue, Jun 10, 2025 at 02:58:25PM +0200, Ricardo Ribalda wrote:
> > Hi Youngjun
> >
> > You still miss the v2 (v3 in this case). and the trailers.
> >
> > In the future you can use the b4 tool to take care of most of the details.
> > https://b4.docs.kernel.org/en/latest/contributor/overview.html
> > It has "dry-run" option that let you review the mails before you send
> > them to the mailing list
> >
> > Please do not resubmit a new patch to fix this, only send a new patch
> > to fix more comments for other people.
> >
> > Regards!
> >
> > On Tue, 10 Jun 2025 at 14:41, Youngjun Lee <yjjuny.lee@...sung.com> wrote:
> > >
> > > The buffer length check before calling uvc_parse_format() only
> > > ensured that the buffer has at least 3 bytes (buflen > 2), buf the
> > > function accesses buffer[3], requiring at least 4 bytes.
> > >
> > > This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.
> > >
> > > Fix it by checking that the buffer has at least 4 bytes in
> > > uvc_parse_format().
> >
> > Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
> > Cc: stable@...r.kernel.org
> > Reviewed-by: Ricardo Ribalda <ribalda@...omium.org>
>
> Reviewed-by: Laurent Pinchart <laurent.pinchart@...asonboard.com>
>
> > > Signed-off-by: Youngjun Lee <yjjuny.lee@...sung.com>
> > > ---
> > > drivers/media/usb/uvc/uvc_driver.c | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/drivers/media/usb/uvc/uvc_driver.c
> > > b/drivers/media/usb/uvc/uvc_driver.c
> > > index da24a655ab68..1100469a83a2 100644
> > > --- a/drivers/media/usb/uvc/uvc_driver.c
> > > +++ b/drivers/media/usb/uvc/uvc_driver.c
> > > @@ -344,6 +344,9 @@ static int uvc_parse_format(struct uvc_device *dev,
> > > u8 ftype;
> > > int ret;
> > >
> > > + if (buflen < 4)
> > > + return -EINVAL;
> > > +
> > > format->type = buffer[2];
> > > format->index = buffer[3];
> > > format->frames = frames;
--
Thanks & Regards,
Youngjun Lee
Powered by blists - more mailing lists