Hi,
There appears to be a buffer overflow in
drivers/media/video/uvc/uvc_ctrl.c:
Sep 20 17:53:12 i kernel: BUG kmalloc-8 (Not tainted): Redzone
overwritten Sep 20 17:53:12 i kernel:
--------------------------------------------------------------------
--------- Sep 20 17:53:12 i kernel:
Sep 20 17:53:12 i kernel: INFO: 0xf2c5ce08-0xf2c5ce0b. First byte 0xa1
instead of 0xcc
Sep 20 17:53:12 i kernel: INFO: Allocated in
uvc_query_v4l2_ctrl+0x3c/0x239 [uvcvideo] age=13 cpu=1 pid=4975
...
A fixed size 8-byte buffer is allocated, and a variable size field is
read into it; there is no particular bound on the size of the field
(it is dependent on hardware and configuration) and it can overflow
[also verified by inserting printk's.]
The patch below attempts to size the buffer to the correctly; I do not
know if sufficient validation of that size is carried out.
Cheers,
Ralph Loader.
diff --git a/drivers/media/video/uvc/uvc_ctrl.c
b/drivers/media/video/uvc/uvc_ct rl.c
index 6ef3e52..feab12a 100644
--- a/drivers/media/video/uvc/uvc_ctrl.c
+++ b/drivers/media/video/uvc/uvc_ctrl.c
@@ -592,7 +592,7 @@ int uvc_query_v4l2_ctrl(struct uvc_video_device
*video, if (ctrl == NULL)
return -EINVAL;
- data = kmalloc(8, GFP_KERNEL);
+ data = kmalloc(ctrl->info->size, GFP_KERNEL);
if (data == NULL)
return -ENOMEM;
_______________________________________________
Linux-uvc-devel mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/linux-uvc-devel
