re: USB gadget: video class function driver

Fri, 09 Jan 2015 04:34:44 -0800 

Hello Laurent Pinchart,

The patch cdda479f15cd: "USB gadget: video class function driver"
from May 2, 2010, leads to the following static checker warning:

        drivers/usb/gadget/function/f_uvc.c:223 uvc_function_ep0_complete()
        error: overflow detected.  memcpy() '&uvc_event->data.data' is
        60 bytes.  user controlled range = '0-64'

drivers/usb/gadget/function/f_uvc.c
   210  static void
   211  uvc_function_ep0_complete(struct usb_ep *ep, struct usb_request *req)
   212  {
   213          struct uvc_device *uvc = req->context;
   214          struct v4l2_event v4l2_event;
   215          struct uvc_event *uvc_event = (void *)&v4l2_event.u.data;
   216  
   217          if (uvc->event_setup_out) {
   218                  uvc->event_setup_out = 0;
   219  
   220                  memset(&v4l2_event, 0, sizeof(v4l2_event));
   221                  v4l2_event.type = UVC_EVENT_DATA;
   222                  uvc_event->data.length = req->actual;
   223                  memcpy(&uvc_event->data.data, req->buf, req->actual);
                                ^^^^^^^^^^^^^^^^^^^^            ^^^^^^^^^^^^
It doesn't know the real limit of req->actual, but it's saying that
there is a untrusted source which can pick a value between 0-64.

   224                  v4l2_event_queue(uvc->vdev, &v4l2_event);
   225          }
   226  }

The untrusted source is in dummy_queue().

drivers/usb/gadget/udc/dummy_hcd.c
   648          /* implement an emulated single-request FIFO */
   649          if (ep->desc && (ep->desc->bEndpointAddress & USB_DIR_IN) &&
   650                          list_empty(&dum->fifo_req.queue) &&
   651                          list_empty(&ep->queue) &&
   652                          _req->length <= FIFO_SIZE) {
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^
_req->length is untrusted for some reason.  This caps it at 0-64.

   653                  req = &dum->fifo_req;
   654                  req->req = *_req;
   655                  req->req.buf = dum->fifo_buf;
   656                  memcpy(dum->fifo_buf, _req->buf, _req->length);
   657                  req->req.context = dum;
   658                  req->req.complete = fifo_complete;
   659  
   660                  list_add_tail(&req->queue, &ep->queue);
   661                  spin_unlock(&dum->lock);
   662                  _req->actual = _req->length;
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^
Assigned to _req->actual.

   663                  _req->status = 0;
   664                  usb_gadget_giveback_request(_ep, _req);
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
And down this call tree.

   665                  spin_lock(&dum->lock);

There is another similar issue:

        drivers/usb/gadget/function/f_uac1.c:367 f_audio_complete()
        error: overflow detected.  memcpy() '&data' is 4 bytes.  user
        controlled range = '0-64'

TODO-List: USB: gadget: potential overflow in uvc_function_ep0_complete().

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to