[PATCH] isight_firmware: Avoid crash on loading invalid firmware

From: Matthew Garrett
Date: Fri Jun 06 2008 - 15:22:03 EST

Next message: Leon Woestenberg: "Re: Locking in the (now generic) GPIO infrastructure?"
Previous message: Dotan Barak: "Re: [ofa-general] IB/ehca: Reject send WRs only for RESET, INIT andRTR state"
In reply to: Greg KH: "Re: [ 88.628451] BUG: unable to handle kernel paging request atf8dbf000 "isight_firmware""
Next in thread: Andrew Morton: "Re: [PATCH] isight_firmware: Avoid crash on loading invalidfirmware"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Different tools generate slightly different formats of the isight
firmware. Ensure that the firmware buffer is not overrun, while still
ensuring that the correct amount of data is written if trailing data is
prseent.

Signed-off-by: Matthew Garrett <mjg@xxxxxxxxxx>

---

diff --git a/drivers/usb/misc/isight_firmware.c b/drivers/usb/misc/isight_firmware.c
index 390e048..9f30aa1 100644
--- a/drivers/usb/misc/isight_firmware.c
+++ b/drivers/usb/misc/isight_firmware.c
@@ -39,9 +39,12 @@ static int isight_firmware_load(struct usb_interface *intf,
struct usb_device *dev = interface_to_usbdev(intf);
int llen, len, req, ret = 0;
const struct firmware *firmware;
- unsigned char *buf;
+ unsigned char *buf = kmalloc(50, GFP_KERNEL);
unsigned char data[4];
- char *ptr;
+ u8 *ptr;
+
+ if (!buf)
+ return -ENOMEM;

if (request_firmware(&firmware, "isight.fw", &dev->dev) != 0) {
printk(KERN_ERR "Unable to load isight firmware\n");
@@ -59,7 +62,7 @@ static int isight_firmware_load(struct usb_interface *intf,
goto out;
}

- while (1) {
+ while (ptr+4 <= firmware->data+firmware->size) {
memcpy(data, ptr, 4);
len = (data[0] << 8 | data[1]);
req = (data[2] << 8 | data[3]);
@@ -71,10 +74,14 @@ static int isight_firmware_load(struct usb_interface *intf,
continue;

for (; len > 0; req += 50) {
- llen = len > 50 ? 50 : len;
+ llen = min(len, 50);
len -= llen;
-
- buf = kmalloc(llen, GFP_KERNEL);
+ if (ptr+llen > firmware->data+firmware->size) {
+ printk(KERN_ERR
+ "Malformed isight firmware");
+ ret = -ENODEV;
+ goto out;
+ }
memcpy(buf, ptr, llen);

ptr += llen;
@@ -89,16 +96,18 @@ static int isight_firmware_load(struct usb_interface *intf,
goto out;
}

- kfree(buf);
}
}
+
if (usb_control_msg
(dev, usb_sndctrlpipe(dev, 0), 0xa0, 0x40, 0xe600, 0, "\0", 1,
300) != 1) {
printk(KERN_ERR "isight firmware loading completion failed\n");
ret = -ENODEV;
}
+
out:
+ kfree(buf);
release_firmware(firmware);
return ret;
}
--
Matthew Garrett | mjg59@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Leon Woestenberg: "Re: Locking in the (now generic) GPIO infrastructure?"
Previous message: Dotan Barak: "Re: [ofa-general] IB/ehca: Reject send WRs only for RESET, INIT andRTR state"
In reply to: Greg KH: "Re: [ 88.628451] BUG: unable to handle kernel paging request atf8dbf000 "isight_firmware""
Next in thread: Andrew Morton: "Re: [PATCH] isight_firmware: Avoid crash on loading invalidfirmware"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]