v4l2-ioctl: integer overflow in video_usercopy()
svn path=/dists/sid/linux-2.6/; revision=18459
This commit is contained in:
parent
9413d691a6
commit
6a8499f514
|
@ -24,6 +24,7 @@ linux-2.6 (3.1.8-1) UNRELEASED; urgency=low
|
|||
* l2tp: ensure sk->dst is still valid (Closes: #652503)
|
||||
* Update Russian debconf template translations (Yuri Kozlov)
|
||||
(Closes: #653716)
|
||||
* v4l2-ioctl: integer overflow in video_usercopy()
|
||||
|
||||
[ Jonathan Nieder ]
|
||||
* prerm: Print an error message when aborting removal of the running
|
||||
|
|
51
debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch
vendored
Normal file
51
debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch
vendored
Normal file
|
@ -0,0 +1,51 @@
|
|||
Subject: [media] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
|
||||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Date: Thu Jan 5 02:27:57 2012 -0300
|
||||
|
||||
If ctrls->count is too high the multiplication could overflow and
|
||||
array_size would be lower than expected. Mauro and Hans Verkuil
|
||||
suggested that we cap it at 1024. That comes from the maximum
|
||||
number of controls with lots of room for expantion.
|
||||
|
||||
$ grep V4L2_CID include/linux/videodev2.h | wc -l
|
||||
211
|
||||
|
||||
Cc: stable <stable@vger.kernel.org>
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
|
||||
---
|
||||
drivers/media/video/v4l2-ioctl.c | 4 ++++
|
||||
include/linux/videodev2.h | 1 +
|
||||
2 files changed, 5 insertions(+), 0 deletions(-)
|
||||
|
||||
---
|
||||
|
||||
http://git.linuxtv.org/media_tree.git?a=commitdiff;h=6c06108be53ca5e94d8b0e93883d534dd9079646
|
||||
|
||||
diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c
|
||||
index e1da8fc..639abee 100644
|
||||
--- a/drivers/media/video/v4l2-ioctl.c
|
||||
+++ b/drivers/media/video/v4l2-ioctl.c
|
||||
@@ -2226,6 +2226,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
|
||||
struct v4l2_ext_controls *ctrls = parg;
|
||||
|
||||
if (ctrls->count != 0) {
|
||||
+ if (ctrls->count > V4L2_CID_MAX_CTRLS) {
|
||||
+ ret = -EINVAL;
|
||||
+ break;
|
||||
+ }
|
||||
*user_ptr = (void __user *)ctrls->controls;
|
||||
*kernel_ptr = (void *)&ctrls->controls;
|
||||
*array_size = sizeof(struct v4l2_ext_control)
|
||||
diff --git a/include/linux/videodev2.h b/include/linux/videodev2.h
|
||||
index 6bfaa76..b2e1331 100644
|
||||
--- a/include/linux/videodev2.h
|
||||
+++ b/include/linux/videodev2.h
|
||||
@@ -1132,6 +1132,7 @@ struct v4l2_querymenu {
|
||||
#define V4L2_CTRL_FLAG_NEXT_CTRL 0x80000000
|
||||
|
||||
/* User-class control IDs defined by V4L2 */
|
||||
+#define V4L2_CID_MAX_CTRLS 1024
|
||||
#define V4L2_CID_BASE (V4L2_CTRL_CLASS_USER | 0x900)
|
||||
#define V4L2_CID_USER_BASE V4L2_CID_BASE
|
||||
/* IDs reserved for driver specific controls */
|
|
@ -91,3 +91,4 @@
|
|||
+ bugfix/all/l2tp-ensure-sk-dst-is-still-valid.patch
|
||||
+ debian/block-Restore-blk_init_allocated_queue_node-for-ABI-.patch
|
||||
+ debian/sparc-Change-io_remap_pfn_range-back-into-an-extern-.patch
|
||||
+ bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch
|
||||
|
|
Loading…
Reference in New Issue