[X][E][CVE-2020-11608][SRU][PATCH 1/1] media: ov519: add missing endpoint sanity checks
Po-Hsu Lin
po-hsu.lin at canonical.com
Thu Apr 16 08:50:19 UTC 2020
From: Johan Hovold <johan at kernel.org>
CVE-2020-11608
Make sure to check that we have at least one endpoint before accessing
the endpoint array to avoid dereferencing a NULL-pointer on stream
start.
Note that these sanity checks are not redundant as the driver is mixing
looking up altsettings by index and by number, which need not coincide.
Fixes: 1876bb923c98 ("V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge")
Fixes: b282d87332f5 ("V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)")
Cc: stable <stable at vger.kernel.org> # 2.6.31
Cc: Hans de Goede <hdegoede at redhat.com>
Signed-off-by: Johan Hovold <johan at kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco at xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei at kernel.org>
(cherry picked from commit 998912346c0da53a6dbb71fab3a138586b596b30)
Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
---
drivers/media/usb/gspca/ov519.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/media/usb/gspca/ov519.c b/drivers/media/usb/gspca/ov519.c
index c7aafdb..9a49b50 100644
--- a/drivers/media/usb/gspca/ov519.c
+++ b/drivers/media/usb/gspca/ov519.c
@@ -3507,6 +3507,11 @@ static void ov511_mode_init_regs(struct sd *sd)
return;
}
+ if (alt->desc.bNumEndpoints < 1) {
+ sd->gspca_dev.usb_err = -ENODEV;
+ return;
+ }
+
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
reg_w(sd, R51x_FIFO_PSIZE, packet_size >> 5);
@@ -3632,6 +3637,11 @@ static void ov518_mode_init_regs(struct sd *sd)
return;
}
+ if (alt->desc.bNumEndpoints < 1) {
+ sd->gspca_dev.usb_err = -ENODEV;
+ return;
+ }
+
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
ov518_reg_w32(sd, R51x_FIFO_PSIZE, packet_size & ~7, 2);
--
2.7.4
More information about the kernel-team
mailing list