Re: [PATCH] Prevent buffer overflow in UVC Gadget setup handler

From: Szymon Heidrich
Date: Thu Dec 01 2022 - 07:44:43 EST

Next message: Michal Hocko: "Re: [PATCH] mm: memcontrol: protect the memory in cgroup from being oom killed"
Previous message: tip-bot2 for Lukas Bulwahn: "[tip: timers/core] clockevents: Repair kernel-doc for clockevent_delta2ns()"
In reply to: Greg Kroah-Hartman: "Re: [PATCH] Prevent buffer overflow in UVC Gadget setup handler"
Next in thread: Dan Scally: "Re: [PATCH] Prevent buffer overflow in UVC Gadget setup handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 01/12/2022 13:28, Greg Kroah-Hartman wrote:
> On Thu, Dec 01, 2022 at 01:21:41PM +0100, Szymon Heidrich wrote:
>> Setup function uvc_function_setup permits control transfer
>> requests with up to 64 bytes of payload (UVC_MAX_REQUEST_SIZE),
>> data stage handler for OUT transfer uses memcpy to copy req->actual
>> bytes to uvc_event->data.data array of size 60. This may result
>> in an overflow of 4 bytes.
>>
>> Signed-off-by: Szymon Heidrich <szymon.heidrich@xxxxxxxxx>
>> ---
>> drivers/usb/gadget/function/f_uvc.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> What commit id does this fix? Is it needed for stable kernels?
>
> thanks,
>
> greg k-h

As far as I understand this would be the original commit so cdda479f15cd13fa50a913ca85129c0437cc7b91.
I guess that it is also needed for stable kernels, yet please correct me if I'm wrong.

Best regards,
Szymon

Next message: Michal Hocko: "Re: [PATCH] mm: memcontrol: protect the memory in cgroup from being oom killed"
Previous message: tip-bot2 for Lukas Bulwahn: "[tip: timers/core] clockevents: Repair kernel-doc for clockevent_delta2ns()"
In reply to: Greg Kroah-Hartman: "Re: [PATCH] Prevent buffer overflow in UVC Gadget setup handler"
Next in thread: Dan Scally: "Re: [PATCH] Prevent buffer overflow in UVC Gadget setup handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]