[kernel] r18459 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at alioth.debian.org
Sun Jan 8 01:41:35 UTC 2012
Author: benh
Date: Sun Jan 8 01:41:34 2012
New Revision: 18459
Log:
v4l2-ioctl: integer overflow in video_usercopy()
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/base
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Sun Jan 8 01:15:40 2012 (r18458)
+++ dists/sid/linux-2.6/debian/changelog Sun Jan 8 01:41:34 2012 (r18459)
@@ -24,6 +24,7 @@
* l2tp: ensure sk->dst is still valid (Closes: #652503)
* Update Russian debconf template translations (Yuri Kozlov)
(Closes: #653716)
+ * v4l2-ioctl: integer overflow in video_usercopy()
[ Jonathan Nieder ]
* prerm: Print an error message when aborting removal of the running
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch Sun Jan 8 01:41:34 2012 (r18459)
@@ -0,0 +1,51 @@
+Subject: [media] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Thu Jan 5 02:27:57 2012 -0300
+
+If ctrls->count is too high the multiplication could overflow and
+array_size would be lower than expected. Mauro and Hans Verkuil
+suggested that we cap it at 1024. That comes from the maximum
+number of controls with lots of room for expantion.
+
+$ grep V4L2_CID include/linux/videodev2.h | wc -l
+211
+
+Cc: stable <stable at vger.kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+---
+ drivers/media/video/v4l2-ioctl.c | 4 ++++
+ include/linux/videodev2.h | 1 +
+ 2 files changed, 5 insertions(+), 0 deletions(-)
+
+---
+
+http://git.linuxtv.org/media_tree.git?a=commitdiff;h=6c06108be53ca5e94d8b0e93883d534dd9079646
+
+diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c
+index e1da8fc..639abee 100644
+--- a/drivers/media/video/v4l2-ioctl.c
++++ b/drivers/media/video/v4l2-ioctl.c
+@@ -2226,6 +2226,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
+ struct v4l2_ext_controls *ctrls = parg;
+
+ if (ctrls->count != 0) {
++ if (ctrls->count > V4L2_CID_MAX_CTRLS) {
++ ret = -EINVAL;
++ break;
++ }
+ *user_ptr = (void __user *)ctrls->controls;
+ *kernel_ptr = (void *)&ctrls->controls;
+ *array_size = sizeof(struct v4l2_ext_control)
+diff --git a/include/linux/videodev2.h b/include/linux/videodev2.h
+index 6bfaa76..b2e1331 100644
+--- a/include/linux/videodev2.h
++++ b/include/linux/videodev2.h
+@@ -1132,6 +1132,7 @@ struct v4l2_querymenu {
+ #define V4L2_CTRL_FLAG_NEXT_CTRL 0x80000000
+
+ /* User-class control IDs defined by V4L2 */
++#define V4L2_CID_MAX_CTRLS 1024
+ #define V4L2_CID_BASE (V4L2_CTRL_CLASS_USER | 0x900)
+ #define V4L2_CID_USER_BASE V4L2_CID_BASE
+ /* IDs reserved for driver specific controls */
Modified: dists/sid/linux-2.6/debian/patches/series/base
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/base Sun Jan 8 01:15:40 2012 (r18458)
+++ dists/sid/linux-2.6/debian/patches/series/base Sun Jan 8 01:41:34 2012 (r18459)
@@ -91,3 +91,4 @@
+ bugfix/all/l2tp-ensure-sk-dst-is-still-valid.patch
+ debian/block-Restore-blk_init_allocated_queue_node-for-ABI-.patch
+ debian/sparc-Change-io_remap_pfn_range-back-into-an-extern-.patch
++ bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch
More information about the Kernel-svn-changes
mailing list