Thread (9 messages) 9 messages, 3 authors, 2021-12-03

Re: [PATCH] media: uvcvideo: fix division by zero at stream start

From: Johan Hovold <johan@kernel.org>
Date: 2021-10-26 12:07:17
Also in: linux-media, linux-usb, lkml 

On Tue, Oct 26, 2021 at 02:15:20PM +0300, Laurent Pinchart wrote:
On Tue, Oct 26, 2021 at 11:55:05AM +0100, Kieran Bingham wrote:
quoted
Quoting Johan Hovold (2021-10-26 10:55:11)
quoted
Add the missing bulk-endpoint max-packet sanity check to probe() to
avoid division by zero in uvc_alloc_urb_buffers() in case a malicious
device has broken descriptors (or when doing descriptor fuzz testing).

Note that USB core will reject URBs submitted for endpoints with zero
wMaxPacketSize but that drivers doing packet-size calculations still
need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
endpoint descriptors with maxpacket=0")).

Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
Cc: stable@vger.kernel.org      # 2.6.26
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/media/usb/uvc/uvc_video.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
index e16464606b14..85ac5c1081b6 100644
--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -1958,6 +1958,10 @@ static int uvc_video_start_transfer(struct uvc_streaming *stream,
                if (ep == NULL)
                        return -EIO;
 
+               /* Reject broken descriptors. */
+               if (usb_endpoint_maxp(&ep->desc) == 0)
+                       return -EIO;
Is there any value in identifying this with a specific return code like
-ENODATA?
Going one step further, wouldn't it be better to fail probe() for those
devices ?
This is not how the driver works today. Look at the "return -EIO" just
above in case the expected endpoint is missing. And similarly for the
isochronous case for which zero wMaxPacket isn't handled until
uvc_video_start_transfer() either (a few lines further up still).

Note however the copy-paste error in the commit message mentioning
probe(), which is indeed where this would typically be handled.

Do you want me to resend or can you change

	s/probe()/uvc_video_start_transfer()/

in the commit message when applying if you think this is acceptable as
is?

Johan
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help