3.18-stable patches

added patches:
	media-uvcvideo-fix-type-check-leading-to-overflow.patch

diff --git a/queue-3.18/media-uvcvideo-fix-type-check-leading-to-overflow.patch b/queue-3.18/media-uvcvideo-fix-type-check-leading-to-overflow.patch
new file mode 100644 (file)
index 0000000..b707249
--- /dev/null
+++ b/queue-3.18/media-uvcvideo-fix-type-check-leading-to-overflow.patch
@@ -0,0 +1,62 @@
+From 47bb117911b051bbc90764a8bff96543cbd2005f Mon Sep 17 00:00:00 2001
+From: Alistair Strachan <astrachan@google.com>
+Date: Tue, 18 Dec 2018 20:32:48 -0500
+Subject: media: uvcvideo: Fix 'type' check leading to overflow
+
+From: Alistair Strachan <astrachan@google.com>
+
+commit 47bb117911b051bbc90764a8bff96543cbd2005f upstream.
+
+When initially testing the Camera Terminal Descriptor wTerminalType
+field (buffer[4]), no mask is used. Later in the function, the MSB is
+overloaded to store the descriptor subtype, and so a mask of 0x7fff
+is used to check the type.
+
+If a descriptor is specially crafted to set this overloaded bit in the
+original wTerminalType field, the initial type check will fail (falling
+through, without adjusting the buffer size), but the later type checks
+will pass, assuming the buffer has been made suitably large, causing an
+overflow.
+
+Avoid this problem by checking for the MSB in the wTerminalType field.
+If the bit is set, assume the descriptor is bad, and abort parsing it.
+
+Originally reported here:
+https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
+A similar (non-compiling) patch was provided at that time.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Alistair Strachan <astrachan@google.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/uvc/uvc_driver.c |   14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -977,11 +977,19 @@ static int uvc_parse_standard_control(st
+                       return -EINVAL;
+               }
+ 
+-              /* Make sure the terminal type MSB is not null, otherwise it
+-               * could be confused with a unit.
++              /*
++               * Reject invalid terminal types that would cause issues:
++               *
++               * - The high byte must be non-zero, otherwise it would be
++               *   confused with a unit.
++               *
++               * - Bit 15 must be 0, as we use it internally as a terminal
++               *   direction flag.
++               *
++               * Other unknown types are accepted.
+                */
+               type = get_unaligned_le16(&buffer[4]);
+-              if ((type & 0xff00) == 0) {
++              if ((type & 0x7f00) == 0 || (type & 0x8000) != 0) {
+                       uvc_trace(UVC_TRACE_DESCR, "device %d videocontrol "
+                               "interface %d INPUT_TERMINAL %d has invalid "
+                               "type 0x%04x, skipping\n", udev->devnum,

diff --git a/queue-3.18/series b/queue-3.18/series
index 8147bd974cae50d26489768a1acfd82e25f7f282..534f4cc7456c85dc0626346275d4a1ddf7bb76e8 100644 (file)
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -52,3 +52,4 @@ net-phy-micrel-ksz8061-link-failure-after-cable-connect.patch
 netlabel-fix-out-of-bounds-memory-accesses.patch
 ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch
 hugetlbfs-fix-races-and-page-leaks-during-migration.patch
+media-uvcvideo-fix-type-check-leading-to-overflow.patch

diff --git a/queue-4.14/series b/queue-4.14/series
index e71333917062f59cedb95605aa278588b5b878cc..ed21b9f6402d2c460e9088c210b35c5bb6883a3a 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -40,3 +40,4 @@ xtensa-fix-get_wchan.patch
 bluetooth-fix-locking-in-bt_accept_enqueue-for-bh-context.patch
 exec-fix-mem-leak-in-kernel_read_file.patch
 scsi-core-reset-host-byte-in-did_nexus_failure-case.patch
+media-uvcvideo-fix-type-check-leading-to-overflow.patch

diff --git a/queue-4.19/series b/queue-4.19/series
new file mode 100644 (file)
index 0000000..db14c65
--- /dev/null
+++ b/queue-4.19/series
@@ -0,0 +1 @@
+media-uvcvideo-fix-type-check-leading-to-overflow.patch

diff --git a/queue-4.20/series b/queue-4.20/series
new file mode 100644 (file)
index 0000000..db14c65
--- /dev/null
+++ b/queue-4.20/series
@@ -0,0 +1 @@
+media-uvcvideo-fix-type-check-leading-to-overflow.patch

diff --git a/queue-4.4/series b/queue-4.4/series
index f420af318048e7f601f5139ea83825b7ba2b8212..6a8c2930850ced9bfd61e49b07507bd61bce47ed 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -77,3 +77,4 @@ hugetlbfs-fix-races-and-page-leaks-during-migration.patch
 netlabel-fix-out-of-bounds-memory-accesses.patch
 net-dsa-mv88e6xxx-fix-u64-statistics.patch
 ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch
+media-uvcvideo-fix-type-check-leading-to-overflow.patch

diff --git a/queue-4.9/series b/queue-4.9/series
index abb83734fd7819cdb8e9b555a673c4051e683422..0fac18a28954019797d11b077c7e49495de432bc 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -30,3 +30,4 @@ applicom-fix-potential-spectre-v1-vulnerabilities.patch
 mips-irq-allocate-accurate-order-pages-for-irq-stack.patch
 hugetlbfs-fix-races-and-page-leaks-during-migration.patch
 exec-fix-mem-leak-in-kernel_read_file.patch
+media-uvcvideo-fix-type-check-leading-to-overflow.patch

diff --git a/queue-5.0/series b/queue-5.0/series
new file mode 100644 (file)
index 0000000..db14c65
--- /dev/null
+++ b/queue-5.0/series
@@ -0,0 +1 @@
+media-uvcvideo-fix-type-check-leading-to-overflow.patch