V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()

commit 6c06108be53ca5e94d8b0e93883d534dd9079646 upstream. If ctrls->count is too high the multiplication could overflow and array_size would be lower than expected. Mauro and Hans Verkuil suggested that we cap it at 1024. That comes from the maximum number of controls with lots of room for expantion. $ grep V4L2_CID include/linux/videodev2.h | wc -l 211 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
commit 6c06108be53ca5e94d8b0e93883d534dd9079646 upstream. If ctrls->count is too high the multiplication could overflow and array_size would be lower than expected. Mauro and Hans Verkuil suggested that we cap it at 1024. That comes from the maximum number of controls with lots of room for expantion. $ grep V4L2_CID include/linux/videodev2.h | wc -l 211 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Carpenter · Greg Kroah-Hartman
1 parent 37cd47c536
Showing 2 changed files with 5 additions and 0 deletions Side-by-side Diff
drivers/media/video/v4l2-ioctl.c
include/linux/videodev2.h
@@ -2226,6 +2226,10 @@
 		struct v4l2_ext_controls *ctrls = parg;
  
 		if (ctrls->count != 0) {
+			if (ctrls->count > V4L2_CID_MAX_CTRLS) {
+				ret = -EINVAL;
+				break;
+			}
 			*user_ptr = (void __user *)ctrls->controls;
 			*kernel_ptr = (void *)&ctrls->controls;
 			*array_size = sizeof(struct v4l2_ext_control)
@@ -1131,6 +1131,7 @@
 #define V4L2_CTRL_FLAG_NEXT_CTRL	0x80000000
  
 /*  User-class control IDs defined by V4L2 */
+#define V4L2_CID_MAX_CTRLS		1024
 #define V4L2_CID_BASE			(V4L2_CTRL_CLASS_USER | 0x900)
 #define V4L2_CID_USER_BASE 		V4L2_CID_BASE
 /*  IDs reserved for driver specific controls */
...	...	@@ -2226,6 +2226,10 @@
2226	2226	struct v4l2_ext_controls *ctrls = parg;
2227	2227
2228	2228	if (ctrls->count != 0) {
	2229	+ if (ctrls->count > V4L2_CID_MAX_CTRLS) {
	2230	+ ret = -EINVAL;
	2231	+ break;
	2232	+ }
2229	2233	user_ptr = (void __user )ctrls->controls;
2230	2234	kernel_ptr = (void )&ctrls->controls;
2231	2235	*array_size = sizeof(struct v4l2_ext_control)
...	...	@@ -1131,6 +1131,7 @@
1131	1131	#define V4L2_CTRL_FLAG_NEXT_CTRL 0x80000000
1132	1132
1133	1133	/* User-class control IDs defined by V4L2 */
	1134	+#define V4L2_CID_MAX_CTRLS 1024
1134	1135	#define V4L2_CID_BASE (V4L2_CTRL_CLASS_USER \| 0x900)
1135	1136	#define V4L2_CID_USER_BASE V4L2_CID_BASE
1136	1137	/* IDs reserved for driver specific controls */