[Trusty][SRU][PATCH 0/1] Fix for CVE-2017-0627

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Trusty][SRU][PATCH 0/1] Fix for CVE-2017-0627

Po-Hsu Lin (Sam)
According to our CVE matrix, only Trusty needs this patch.

An extra check to validate the user-provided bit-size and offset was added in
this patch to fix this CVE issue.

Guenter Roeck (1):
  media: uvcvideo: Prevent heap overflow when accessing mapped controls

 drivers/media/usb/uvc/uvc_ctrl.c | 7 +++++++
 1 file changed, 7 insertions(+)

--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[CVE-2017-0627][Trusty][SRU][PATCH 1/1] media: uvcvideo: Prevent heap overflow when accessing mapped controls

Po-Hsu Lin (Sam)
From: Guenter Roeck <[hidden email]>

CVE-2017-0627

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

Originally-from: Richard Simmons <[hidden email]>

Cc: [hidden email]
Signed-off-by: Guenter Roeck <[hidden email]>
Reviewed-by: Laurent Pinchart <[hidden email]>
Signed-off-by: Hans Verkuil <[hidden email]>
Signed-off-by: Mauro Carvalho Chehab <[hidden email]>
(cherry picked from commit 7e09f7d5c790278ab98e5f2c22307ebe8ad6e8ba)
Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 drivers/media/usb/uvc/uvc_ctrl.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
index 0eb82106..f1c1467 100644
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -1949,6 +1949,13 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain,
  goto done;
  }
 
+ /* Validate the user-provided bit-size and offset */
+ if (mapping->size > 32 ||
+    mapping->offset + mapping->size > ctrl->info.size * 8) {
+ ret = -EINVAL;
+ goto done;
+ }
+
  list_for_each_entry(map, &ctrl->info.mappings, list) {
  if (mapping->id == map->id) {
  uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', "
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [CVE-2017-0627][Trusty][SRU][PATCH 1/1] media: uvcvideo: Prevent heap overflow when accessing mapped controls

Kleber Souza
On 05/08/18 09:57, Po-Hsu Lin wrote:

> From: Guenter Roeck <[hidden email]>
>
> CVE-2017-0627
>
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
>
> Originally-from: Richard Simmons <[hidden email]>
>
> Cc: [hidden email]
> Signed-off-by: Guenter Roeck <[hidden email]>
> Reviewed-by: Laurent Pinchart <[hidden email]>
> Signed-off-by: Hans Verkuil <[hidden email]>
> Signed-off-by: Mauro Carvalho Chehab <[hidden email]>
> (cherry picked from commit 7e09f7d5c790278ab98e5f2c22307ebe8ad6e8ba)
> Signed-off-by: Po-Hsu Lin <[hidden email]>

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

> ---
>  drivers/media/usb/uvc/uvc_ctrl.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
> index 0eb82106..f1c1467 100644
> --- a/drivers/media/usb/uvc/uvc_ctrl.c
> +++ b/drivers/media/usb/uvc/uvc_ctrl.c
> @@ -1949,6 +1949,13 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain,
>   goto done;
>   }
>  
> + /* Validate the user-provided bit-size and offset */
> + if (mapping->size > 32 ||
> +    mapping->offset + mapping->size > ctrl->info.size * 8) {
> + ret = -EINVAL;
> + goto done;
> + }
> +
>   list_for_each_entry(map, &ctrl->info.mappings, list) {
>   if (mapping->id == map->id) {
>   uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', "
>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team