AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2025-01-16 13:36:08 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
47bb117911
linux_dsm_epyc7002/drivers/media
History
Alistair Strachan 47bb117911 media: uvcvideo: Fix 'type' check leading to overflow 
When initially testing the Camera Terminal Descriptor wTerminalType
field (buffer[4]), no mask is used. Later in the function, the MSB is
overloaded to store the descriptor subtype, and so a mask of 0x7fff
is used to check the type.

If a descriptor is specially crafted to set this overloaded bit in the
original wTerminalType field, the initial type check will fail (falling
through, without adjusting the buffer size), but the later type checks
will pass, assuming the buffer has been made suitably large, causing an
overflow.

Avoid this problem by checking for the MSB in the wTerminalType field.
If the bit is set, assume the descriptor is bad, and abort parsing it.

Originally reported here:
https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
A similar (non-compiling) patch was provided at that time.

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Alistair Strachan <astrachan@google.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2019-02-07 11:54:14 -05:00
..
cec media: cec: keep track of outstanding transmits 2018-11-23 05:56:14 -05:00
common media: videobuf2: remove unused variable 2019-02-07 11:47:58 -05:00
dvb-core media: dvb_frontend: add debug message for frequency intervals 2018-11-23 11:59:45 -05:00
dvb-frontends media: dvb: Add check on sp8870_readreg 2019-01-16 11:45:33 -05:00
firewire media: firewire: Fix app_info parameter type in avc_ca{,_app}_info 2018-12-05 05:34:33 -05:00
i2c media: ov2640: fix initial try format 2019-01-25 11:02:04 -02:00
mmc media: siano: use GFP_DMA only for smssdio 2018-05-15 08:04:42 -04:00
pci media: ivtv: add parameter to enable ivtvfb on x86 PAT systems 2019-01-21 15:33:26 -02:00
platform media: vicodec: support SOURCE_CHANGE event for decoders only 2019-02-07 11:51:08 -05:00
radio media: si470x-i2c: Add optional reset-gpio support 2019-01-21 15:36:18 -02:00
rc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-12-27 13:04:52 -08:00
spi media: cxd2880-spi: fix two memory leaks of dvb_spi 2019-01-16 11:44:29 -05:00
tuners media: si2157: declare its own pads 2018-09-17 13:16:19 -04:00
usb media: uvcvideo: Fix 'type' check leading to overflow 2019-02-07 11:54:14 -05:00
v4l2-core media: media/v4l2-core/videobuf-vmalloc.c: Remove dead code 2019-01-21 15:46:22 -02:00
Kconfig media: Add a Kconfig option for the Request API 2018-12-05 13:07:43 -05:00
Makefile media: media-request: implement media requests 2018-08-31 11:04:51 -04:00
media-device.c media: Add a Kconfig option for the Request API 2018-12-05 13:07:43 -05:00
media-devnode.c MAINTAINERS & files: Canonize the e-mails I use at files 2018-05-04 06:21:06 -04:00
media-entity.c media: v4l2-mc: switch it to use the new approach to setup pipelines 2018-09-17 13:16:19 -04:00
media-request.c media: media-request: Add compat ioctl 2018-11-20 12:53:27 -05:00