AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2025-01-22 09:54:43 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
47bb117911
linux_dsm_epyc7002/drivers/media/usb
History
Alistair Strachan 47bb117911 media: uvcvideo: Fix 'type' check leading to overflow 
When initially testing the Camera Terminal Descriptor wTerminalType
field (buffer[4]), no mask is used. Later in the function, the MSB is
overloaded to store the descriptor subtype, and so a mask of 0x7fff
is used to check the type.

If a descriptor is specially crafted to set this overloaded bit in the
original wTerminalType field, the initial type check will fail (falling
through, without adjusting the buffer size), but the later type checks
will pass, assuming the buffer has been made suitably large, causing an
overflow.

Avoid this problem by checking for the MSB in the wTerminalType field.
If the bit is set, assume the descriptor is bad, and abort parsing it.

Originally reported here:
https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
A similar (non-compiling) patch was provided at that time.

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Alistair Strachan <astrachan@google.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2019-02-07 11:54:14 -05:00
..
airspy media: use strscpy() instead of strlcpy() 2018-09-11 13:32:17 -04:00
as102 media: fix usage of whitespaces and on indentation 2018-01-04 13:12:01 -05:00
au0828 media: vidioc_cropcap -> vidioc_g_pixelaspect 2018-11-20 13:57:21 -05:00
b2c2 media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
cpia2 media: cropcap/g_selection split 2018-11-20 13:37:18 -05:00
cx231xx media: vidioc_cropcap -> vidioc_g_pixelaspect 2018-11-20 13:57:21 -05:00
dvb-usb media: usb: dvb-usb: remove old friio driver 2018-12-05 03:25:41 -05:00
dvb-usb-v2 media: lmedm04: Move interrupt buffer to priv buffer. 2018-12-07 08:12:28 -05:00
em28xx media: em28xx: fix spelling mistake, "Cinnergy" -> "Cinergy" 2018-12-03 14:25:53 -05:00
go7007 media: use strscpy() instead of strlcpy() 2018-09-11 13:32:17 -04:00
gspca media: gspca: ov534-ov772x: remove unnecessary COM3 initialization 2019-01-16 14:00:46 -05:00
hackrf media: use strscpy() instead of strlcpy() 2018-09-11 13:32:17 -04:00
hdpvr media: replace strcpy() by strscpy() 2018-09-11 13:32:17 -04:00
msi2500 media updates for v4.20-rc1 2018-10-31 10:53:29 -07:00
pulse8-cec media: pulse8-cec: return 0 when invalidating the logical address 2018-11-23 05:49:11 -05:00
pvrusb2 media: pvrusb2: fix spelling mistake "statuss" -> "status" 2018-12-07 08:19:19 -05:00
pwc media: usb: pwc: Don't use coherent DMA buffers for ISO transfer 2019-01-16 11:16:06 -05:00
rainshadow-cec media: replace strcpy() by strscpy() 2018-09-11 13:32:17 -04:00
s2255 media: use strscpy() instead of strlcpy() 2018-09-11 13:32:17 -04:00
siano media: siano: Use kmemdup instead of duplicating its function 2018-12-07 09:42:18 -05:00
stk1160 media: replace strcpy() by strscpy() 2018-09-11 13:32:17 -04:00
stkwebcam media: stkwebcam: Bugfix for wrong return values 2018-12-05 14:10:48 -05:00
tm6000 media updates for v4.20-rc1 2018-10-31 10:53:29 -07:00
ttusb-budget media: replace strcpy() by strscpy() 2018-09-11 13:32:17 -04:00
ttusb-dec media: dvb: represent min/max/step/tolerance freqs in Hz 2018-08-02 18:10:48 -04:00
usbtv media: use strscpy() instead of strlcpy() 2018-09-11 13:32:17 -04:00
usbvision media: usbvision: remove time_in_irq 2018-09-12 08:02:25 -04:00
uvc media: uvcvideo: Fix 'type' check leading to overflow 2019-02-07 11:54:14 -05:00
zr364xx media: replace strcpy() by strscpy() 2018-09-11 13:32:17 -04:00
Kconfig
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00