From: Greg Kroah-Hartman Date: Mon, 18 Nov 2024 14:54:24 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.12.1~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f959b5276266279ad06e4733fb79afb62eb72642;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: hv_sock-initializing-vsk-trans-to-null-to-prevent-a-dangling-pointer.patch media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch series --- diff --git a/queue-6.12/hv_sock-initializing-vsk-trans-to-null-to-prevent-a-dangling-pointer.patch b/queue-6.12/hv_sock-initializing-vsk-trans-to-null-to-prevent-a-dangling-pointer.patch new file mode 100644 index 00000000000..235c0a8ee15 --- /dev/null +++ b/queue-6.12/hv_sock-initializing-vsk-trans-to-null-to-prevent-a-dangling-pointer.patch @@ -0,0 +1,33 @@ +From e629295bd60abf4da1db85b82819ca6a4f6c1e79 Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Wed, 6 Nov 2024 04:36:04 -0500 +Subject: hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer + +From: Hyunwoo Kim + +commit e629295bd60abf4da1db85b82819ca6a4f6c1e79 upstream. + +When hvs is released, there is a possibility that vsk->trans may not +be initialized to NULL, which could lead to a dangling pointer. +This issue is resolved by initializing vsk->trans to NULL. + +Signed-off-by: Hyunwoo Kim +Reviewed-by: Stefano Garzarella +Acked-by: Michael S. Tsirkin +Link: https://patch.msgid.link/Zys4hCj61V+mQfX2@v4bel-B760M-AORUS-ELITE-AX +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/hyperv_transport.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/vmw_vsock/hyperv_transport.c ++++ b/net/vmw_vsock/hyperv_transport.c +@@ -549,6 +549,7 @@ static void hvs_destruct(struct vsock_so + vmbus_hvsock_device_unregister(chan); + + kfree(hvs); ++ vsk->trans = NULL; + } + + static int hvs_dgram_bind(struct vsock_sock *vsk, struct sockaddr_vm *addr) diff --git a/queue-6.12/media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch b/queue-6.12/media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch new file mode 100644 index 00000000000..559c34d2e99 --- /dev/null +++ b/queue-6.12/media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch @@ -0,0 +1,35 @@ +From ecf2b43018da9579842c774b7f35dbe11b5c38dd Mon Sep 17 00:00:00 2001 +From: Benoit Sevens +Date: Thu, 7 Nov 2024 14:22:02 +0000 +Subject: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format + +From: Benoit Sevens + +commit ecf2b43018da9579842c774b7f35dbe11b5c38dd upstream. + +This can lead to out of bounds writes since frames of this type were not +taken into account when calculating the size of the frames buffer in +uvc_parse_streaming. + +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Signed-off-by: Benoit Sevens +Cc: stable@vger.kernel.org +Acked-by: Greg Kroah-Hartman +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -371,7 +371,7 @@ static int uvc_parse_format(struct uvc_d + * Parse the frame descriptors. Only uncompressed, MJPEG and frame + * based formats have frame descriptors. + */ +- while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && ++ while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && + buffer[2] == ftype) { + unsigned int maxIntervalIndex; + diff --git a/queue-6.12/series b/queue-6.12/series new file mode 100644 index 00000000000..750d7e62ab8 --- /dev/null +++ b/queue-6.12/series @@ -0,0 +1,2 @@ +hv_sock-initializing-vsk-trans-to-null-to-prevent-a-dangling-pointer.patch +media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch