From: Ralph Loader Date: Mon, 13 Oct 2008 23:35:38 +0000 (-0400) Subject: V4L/DVB (9053): fix buffer overflow in uvc-video X-Git-Tag: v2.6.26.7~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1a5f1e89a9259b8447530f671f7fe70ca1049453;p=thirdparty%2Fkernel%2Fstable.git V4L/DVB (9053): fix buffer overflow in uvc-video Commit fe6c700ff34e68e1eb7991e9c5d18986d0005ac1 upstream V4L/DVB (9053): fix buffer overflow in uvc-video There is a buffer overflow in drivers/media/video/uvc/uvc_ctrl.c: INFO: 0xf2c5ce08-0xf2c5ce0b. First byte 0xa1 instead of 0xcc INFO: Allocated in uvc_query_v4l2_ctrl+0x3c/0x239 [uvcvideo] age=13 cpu=1 pid=4975 ... A fixed size 8-byte buffer is allocated, and a variable size field is read into it; there is no particular bound on the size of the field (it is dependent on hardware and configuration) and it can overflow [also verified by inserting printk's.] The patch attempts to size the buffer to the correctly. Signed-off-by: Andrew Morton Acked-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/media/video/uvc/uvc_ctrl.c b/drivers/media/video/uvc/uvc_ctrl.c index 1306846a4e2f5..18c9f71e213a9 100644 --- a/drivers/media/video/uvc/uvc_ctrl.c +++ b/drivers/media/video/uvc/uvc_ctrl.c @@ -592,7 +592,7 @@ int uvc_query_v4l2_ctrl(struct uvc_video_device *video, if (ctrl == NULL) return -EINVAL; - data = kmalloc(8, GFP_KERNEL); + data = kmalloc(ctrl->info->size, GFP_KERNEL); if (data == NULL) return -ENOMEM;