[kernel] r18459 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Sun Jan 8 01:41:35 UTC 2012

Author: benh
Date: Sun Jan  8 01:41:34 2012
New Revision: 18459

Log:
v4l2-ioctl: integer overflow in video_usercopy()

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/base

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================

--- dists/sid/linux-2.6/debian/changelog	Sun Jan  8 01:15:40 2012	(r18458)
+++ dists/sid/linux-2.6/debian/changelog	Sun Jan  8 01:41:34 2012	(r18459)
@@ -24,6 +24,7 @@
   * l2tp: ensure sk->dst is still valid (Closes: #652503)
   * Update Russian debconf template translations (Yuri Kozlov)
     (Closes: #653716)
+  * v4l2-ioctl: integer overflow in video_usercopy()
 
   [ Jonathan Nieder ]
   * prerm: Print an error message when aborting removal of the running

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch	Sun Jan  8 01:41:34 2012	(r18459)
@@ -0,0 +1,51 @@
+Subject: [media] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Thu Jan 5 02:27:57 2012 -0300
+
+If ctrls->count is too high the multiplication could overflow and
+array_size would be lower than expected.  Mauro and Hans Verkuil
+suggested that we cap it at 1024.  That comes from the maximum
+number of controls with lots of room for expantion.
+
+$ grep V4L2_CID include/linux/videodev2.h | wc -l
+211
+
+Cc: stable <stable at vger.kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+---
+ drivers/media/video/v4l2-ioctl.c |    4 ++++
+ include/linux/videodev2.h        |    1 +
+ 2 files changed, 5 insertions(+), 0 deletions(-)
+
+---
+
+http://git.linuxtv.org/media_tree.git?a=commitdiff;h=6c06108be53ca5e94d8b0e93883d534dd9079646
+
+diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c
+index e1da8fc..639abee 100644
+--- a/drivers/media/video/v4l2-ioctl.c
++++ b/drivers/media/video/v4l2-ioctl.c
+@@ -2226,6 +2226,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
+ 		struct v4l2_ext_controls *ctrls = parg;
+ 
+ 		if (ctrls->count != 0) {
++			if (ctrls->count > V4L2_CID_MAX_CTRLS) {
++				ret = -EINVAL;
++				break;
++			}
+ 			*user_ptr = (void __user *)ctrls->controls;
+ 			*kernel_ptr = (void *)&ctrls->controls;
+ 			*array_size = sizeof(struct v4l2_ext_control)
+diff --git a/include/linux/videodev2.h b/include/linux/videodev2.h
+index 6bfaa76..b2e1331 100644
+--- a/include/linux/videodev2.h
++++ b/include/linux/videodev2.h
+@@ -1132,6 +1132,7 @@ struct v4l2_querymenu {
+ #define V4L2_CTRL_FLAG_NEXT_CTRL	0x80000000
+ 
+ /*  User-class control IDs defined by V4L2 */
++#define V4L2_CID_MAX_CTRLS		1024
+ #define V4L2_CID_BASE			(V4L2_CTRL_CLASS_USER | 0x900)
+ #define V4L2_CID_USER_BASE 		V4L2_CID_BASE
+ /*  IDs reserved for driver specific controls */

Modified: dists/sid/linux-2.6/debian/patches/series/base
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/base	Sun Jan  8 01:15:40 2012	(r18458)
+++ dists/sid/linux-2.6/debian/patches/series/base	Sun Jan  8 01:41:34 2012	(r18459)
@@ -91,3 +91,4 @@
 + bugfix/all/l2tp-ensure-sk-dst-is-still-valid.patch
 + debian/block-Restore-blk_init_allocated_queue_node-for-ABI-.patch
 + debian/sparc-Change-io_remap_pfn_range-back-into-an-extern-.patch
++ bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch

