v4l2-ioctl: integer overflow in video_usercopy()

svn path=/dists/sid/linux-2.6/; revision=18459
2012-01-08 01:41:34 +00:00 · 2012-01-08 01:41:34 +00:00 · 6a8499f514
parent 9413d691a6
commit 6a8499f514
3 changed files with 53 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -24,6 +24,7 @@ linux-2.6 (3.1.8-1) UNRELEASED; urgency=low
  * l2tp: ensure sk->dst is still valid (Closes: #652503)
  * Update Russian debconf template translations (Yuri Kozlov)
    (Closes: #653716)
+  * v4l2-ioctl: integer overflow in video_usercopy()

  [ Jonathan Nieder ]
  * prerm: Print an error message when aborting removal of the running
--- a/debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch
+++ b/debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch
@ -0,0 +1,51 @@
+Subject: [media] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Jan 5 02:27:57 2012 -0300
+
+If ctrls->count is too high the multiplication could overflow and
+array_size would be lower than expected.  Mauro and Hans Verkuil
+suggested that we cap it at 1024.  That comes from the maximum
+number of controls with lots of room for expantion.
+
+$ grep V4L2_CID include/linux/videodev2.h | wc -l
+211
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+---
+ drivers/media/video/v4l2-ioctl.c |    4 ++++
+ include/linux/videodev2.h        |    1 +
+ 2 files changed, 5 insertions(+), 0 deletions(-)
+
+---
+
+http://git.linuxtv.org/media_tree.git?a=commitdiff;h=6c06108be53ca5e94d8b0e93883d534dd9079646
+
+diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c
+index e1da8fc..639abee 100644
+--- a/drivers/media/video/v4l2-ioctl.c
+++ b/drivers/media/video/v4l2-ioctl.c
+@@ -2226,6 +2226,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
+ 		struct v4l2_ext_controls *ctrls = parg;
+ 
+ 		if (ctrls->count != 0) {
+			if (ctrls->count > V4L2_CID_MAX_CTRLS) {
+				ret = -EINVAL;
+				break;
+			}
+ 			*user_ptr = (void __user *)ctrls->controls;
+ 			*kernel_ptr = (void *)&ctrls->controls;
+ 			*array_size = sizeof(struct v4l2_ext_control)
+diff --git a/include/linux/videodev2.h b/include/linux/videodev2.h
+index 6bfaa76..b2e1331 100644
+--- a/include/linux/videodev2.h
+++ b/include/linux/videodev2.h
+@@ -1132,6 +1132,7 @@ struct v4l2_querymenu {
+ #define V4L2_CTRL_FLAG_NEXT_CTRL	0x80000000
+ 
+ /*  User-class control IDs defined by V4L2 */
+#define V4L2_CID_MAX_CTRLS		1024
+ #define V4L2_CID_BASE			(V4L2_CTRL_CLASS_USER | 0x900)
+ #define V4L2_CID_USER_BASE 		V4L2_CID_BASE
+ /*  IDs reserved for driver specific controls */
--- a/debian/patches/series/base
+++ b/debian/patches/series/base
@ -91,3 +91,4 @@
 + bugfix/all/l2tp-ensure-sk-dst-is-still-valid.patch
 + debian/block-Restore-blk_init_allocated_queue_node-for-ABI-.patch
 + debian/sparc-Change-io_remap_pfn_range-back-into-an-extern-.patch
+ bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch