Buffer overflow in uvc-video.
From: Ralph Loader
Date: Sat Sep 20 2008 - 04:23:21 EST
Hi,
There appears to be a buffer overflow in
drivers/media/video/uvc/uvc_ctrl.c:
Sep 20 17:53:12 i kernel: BUG kmalloc-8 (Not tainted): Redzone
overwritten Sep 20 17:53:12 i kernel:
--------------------------------------------------------------------
--------- Sep 20 17:53:12 i kernel:
Sep 20 17:53:12 i kernel: INFO: 0xf2c5ce08-0xf2c5ce0b. First byte 0xa1
instead of 0xcc
Sep 20 17:53:12 i kernel: INFO: Allocated in
uvc_query_v4l2_ctrl+0x3c/0x239 [uvcvideo] age=13 cpu=1 pid=4975
...
A fixed size 8-byte buffer is allocated, and a variable size field is
read into it; there is no particular bound on the size of the field
(it is dependent on hardware and configuration) and it can overflow
[also verified by inserting printk's.]
The patch below attempts to size the buffer to the correctly; I do not
know if sufficient validation of that size is carried out.
Cheers,
Ralph Loader.
diff --git a/drivers/media/video/uvc/uvc_ctrl.c
b/drivers/media/video/uvc/uvc_ct rl.c
index 6ef3e52..feab12a 100644
--- a/drivers/media/video/uvc/uvc_ctrl.c
+++ b/drivers/media/video/uvc/uvc_ctrl.c
@@ -592,7 +592,7 @@ int uvc_query_v4l2_ctrl(struct uvc_video_device
*video, if (ctrl == NULL)
return -EINVAL;
- data = kmalloc(8, GFP_KERNEL);
+ data = kmalloc(ctrl->info->size, GFP_KERNEL);
if (data == NULL)
return -ENOMEM;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/