New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 724785 link

Starred by 2 users
Status: Archived
Owner:
groeck@chromium.org
Closed: Jul 2017
Cc:
gkihumba@chromium.org
gkihumba@google.com
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

CrOS: CVE-2017-0627 - Vulnerability reported in Linux kernel - UVC driver

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, May 20 2017 
VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2017-0627
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0627
  CVSS severity score: 2.6/10.0
  Description:

An information disclosure vulnerability in the kernel UVC driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33300353.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by wfh@chromium.org, May 22 2017

Components: OS>Kernel

Comment 2 by wfh@chromium.org, May 22 2017

Labels: Security_Severity-Medium Pri-2
Summary: CrOS: CVE-2017-0627 - Vulnerability reported in Linux kernel - UVC driver (was: CrOS: Vulnerability reported in Linux kernel)

Comment 3 by wfh@chromium.org, May 22 2017

Status: Available (was: Untriaged)

Comment 4 by mnissler@chromium.org, May 22 2017

Owner: groeck@chromium.org
Mass-assigning Android May security bulletin issues to groeck@ to triage.
Project Member

Comment 5 by sheriffbot@chromium.org, May 22 2017

Labels: -Pri-2 Pri-1
Project Member

Comment 6 by sheriffbot@chromium.org, May 22 2017

Status: Assigned (was: Available)

Comment 7 by groeck@chromium.org, May 22 2017 

Fix not upstream, Chrome OS is affected (all releases as far as I can see). Will submit fix upstream first for feedback.

Comment 8 by groeck@chromium.org, May 22 2017

Labels: M-59
Project Member

Comment 9 by sheriffbot@chromium.org, May 23 2017

Labels: Security_Impact-Beta
Project Member

Comment 10 by sheriffbot@chromium.org, May 23 2017

Labels: ReleaseBlock-Stable

Comment 11 by groeck@chromium.org, May 25 2017

Status: Started (was: Assigned)
Project Member

Comment 12 by bugdroid1@chromium.org, May 27 2017

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/7ddb4bdd8712a3a00fc8efe22586eadb75b27391

commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391
Author: Robb Glasser <rglasser@google.com>
Date: Sat May 27 15:49:15 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG= chromium:724785 
TEST=Build and run

Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
Signed-off-by: Robb Glasser <rglasser@google.com>
[groeck: cherry picked from
 https://source.codeaurora.org/quic/la/kernel/msm-3.10
 commit b7b99e55bc7770187913ed092990852ea52d7892;
 updated subject]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9741303/)
Reviewed-on: https://chromium-review.googlesource.com/517423
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/7ddb4bdd8712a3a00fc8efe22586eadb75b27391/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 13 by bugdroid1@chromium.org, May 27 2017

Labels: merge-merged-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d57fda44257ae0e898a530d9537e65f3a74ef861

commit d57fda44257ae0e898a530d9537e65f3a74ef861
Author: Robb Glasser <rglasser@google.com>
Date: Sat May 27 21:27:59 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG= chromium:724785 
TEST=Build and run

Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
Signed-off-by: Robb Glasser <rglasser@google.com>
[groeck: cherry picked from
 https://source.codeaurora.org/quic/la/kernel/msm-3.10
 commit b7b99e55bc7770187913ed092990852ea52d7892;
 updated subject]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9741303/)
Reviewed-on: https://chromium-review.googlesource.com/517423
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
Reviewed-on: https://chromium-review.googlesource.com/517316

[modify] https://crrev.com/d57fda44257ae0e898a530d9537e65f3a74ef861/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 14 by bugdroid1@chromium.org, May 27 2017

Labels: merge-merged-chromeos-3.10
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c5ae3f3e6b83d51564db8197439a04644f3ce2a7

commit c5ae3f3e6b83d51564db8197439a04644f3ce2a7
Author: Robb Glasser <rglasser@google.com>
Date: Sat May 27 21:28:00 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG= chromium:724785 
TEST=Build and run

Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
Signed-off-by: Robb Glasser <rglasser@google.com>
[groeck: cherry picked from
 https://source.codeaurora.org/quic/la/kernel/msm-3.10
 commit b7b99e55bc7770187913ed092990852ea52d7892;
 updated subject]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9741303/)
Reviewed-on: https://chromium-review.googlesource.com/517423
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
Reviewed-on: https://chromium-review.googlesource.com/517318

[modify] https://crrev.com/c5ae3f3e6b83d51564db8197439a04644f3ce2a7/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 15 by bugdroid1@chromium.org, May 27 2017

Labels: merge-merged-chromeos-3.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/6eea2a7519579f14f1837e977068ea28ad98fd77

commit 6eea2a7519579f14f1837e977068ea28ad98fd77
Author: Robb Glasser <rglasser@google.com>
Date: Sat May 27 21:28:00 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG= chromium:724785 
TEST=Build and run

Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
Signed-off-by: Robb Glasser <rglasser@google.com>
[groeck: cherry picked from
 https://source.codeaurora.org/quic/la/kernel/msm-3.10
 commit b7b99e55bc7770187913ed092990852ea52d7892;
 updated subject]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9741303/)
Reviewed-on: https://chromium-review.googlesource.com/517423
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
Reviewed-on: https://chromium-review.googlesource.com/517317

[modify] https://crrev.com/6eea2a7519579f14f1837e977068ea28ad98fd77/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 16 by sheriffbot@chromium.org, May 28 2017

Status: Fixed (was: Started)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 17 by sheriffbot@chromium.org, May 29 2017

Labels: Restrict-View-SecurityNotify

Comment 18 by groeck@chromium.org, May 29 2017

Status: Started (was: Fixed)
Grumble. Not fixed in all releases. Sheriffbot keeps jumping the gun.

Comment 19 by groeck@chromium.org, May 31 2017 

Pirogress report: Commit into chromeos-3.8 is still pending. Commits into chromeos-3.8 are currently blocked due to the following CQ error.

"x86-alex-no-vmtest-pre-cq: The BuildPackages stage failed: Cannot find prebuilts for chromeos-base/chromeos-chrome on x86-alex"
Project Member

Comment 20 by bugdroid1@chromium.org, Jun 1 2017

Labels: merge-merged-chromeos-3.8
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b0a8a139832abc95077c6020842b8368f88fbf24

commit b0a8a139832abc95077c6020842b8368f88fbf24
Author: Robb Glasser <rglasser@google.com>
Date: Thu Jun 01 04:14:35 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG= chromium:724785 
TEST=Build and run

Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
Signed-off-by: Robb Glasser <rglasser@google.com>
[groeck: cherry picked from
 https://source.codeaurora.org/quic/la/kernel/msm-3.10
 commit b7b99e55bc7770187913ed092990852ea52d7892;
 updated subject]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9741303/)
Reviewed-on: https://chromium-review.googlesource.com/517423
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
Reviewed-on: https://chromium-review.googlesource.com/517318
(cherry picked from commit c5ae3f3e6b83d51564db8197439a04644f3ce2a7)
Reviewed-on: https://chromium-review.googlesource.com/517319

[modify] https://crrev.com/b0a8a139832abc95077c6020842b8368f88fbf24/drivers/media/usb/uvc/uvc_ctrl.c

Comment 21 by groeck@chromium.org, Jun 1 2017

Labels: Merge-Request-59
Status: Fixed (was: Started)
Project Member

Comment 22 by sheriffbot@chromium.org, Jun 1 2017

Labels: -Merge-Request-59 Merge-Review-59 Hotlist-Merge-Review
This bug requires manual review: Only 4 days from stable, we might already have a stable candidate build
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 23 by gkihumba@google.com, Jun 16 2017

Labels: -Hotlist-Merge-Review -Merge-Review-59 Merge-Approved-59

Comment 24 by gkihumba@google.com, Jun 16 2017

Cc: gkihumba@chromium.org
Project Member

Comment 25 by bugdroid1@chromium.org, Jun 16 2017

Labels: merge-merged-release-R60-9592.B-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8d8cc250b226e395c06b444b17665f87d2aa71b1

commit 8d8cc250b226e395c06b444b17665f87d2aa71b1
Author: Robb Glasser <rglasser@google.com>
Date: Fri Jun 16 22:01:21 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG= chromium:724785 
TEST=Build and run

Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
Signed-off-by: Robb Glasser <rglasser@google.com>
[groeck: cherry picked from
 https://source.codeaurora.org/quic/la/kernel/msm-3.10
 commit b7b99e55bc7770187913ed092990852ea52d7892;
 updated subject]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9741303/)
Reviewed-on: https://chromium-review.googlesource.com/517423
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
Reviewed-on: https://chromium-review.googlesource.com/517316
(cherry picked from commit d57fda44257ae0e898a530d9537e65f3a74ef861)
Reviewed-on: https://chromium-review.googlesource.com/539015

[modify] https://crrev.com/8d8cc250b226e395c06b444b17665f87d2aa71b1/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 26 by bugdroid1@chromium.org, Jun 16 2017

Labels: merge-merged-release-R59-9460.B-chromeos-3.8
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/dde476141a4e6c7c464c857a44864fd28c3c1974

commit dde476141a4e6c7c464c857a44864fd28c3c1974
Author: Robb Glasser <rglasser@google.com>
Date: Fri Jun 16 22:01:26 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG= chromium:724785 
TEST=Build and run

Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
Signed-off-by: Robb Glasser <rglasser@google.com>
[groeck: cherry picked from
 https://source.codeaurora.org/quic/la/kernel/msm-3.10
 commit b7b99e55bc7770187913ed092990852ea52d7892;
 updated subject]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9741303/)
Reviewed-on: https://chromium-review.googlesource.com/517423
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
Reviewed-on: https://chromium-review.googlesource.com/517318
(cherry picked from commit c5ae3f3e6b83d51564db8197439a04644f3ce2a7)
Reviewed-on: https://chromium-review.googlesource.com/517319
(cherry picked from commit b0a8a139832abc95077c6020842b8368f88fbf24)
Reviewed-on: https://chromium-review.googlesource.com/539021

[modify] https://crrev.com/dde476141a4e6c7c464c857a44864fd28c3c1974/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 27 by bugdroid1@chromium.org, Jun 16 2017

Labels: merge-merged-release-R59-9460.B-chromeos-3.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4cadce96717f61964ae1260f00a8e552a5443ac1

commit 4cadce96717f61964ae1260f00a8e552a5443ac1
Author: Robb Glasser <rglasser@google.com>
Date: Fri Jun 16 22:01:30 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG= chromium:724785 
TEST=Build and run

Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
Signed-off-by: Robb Glasser <rglasser@google.com>
[groeck: cherry picked from
 https://source.codeaurora.org/quic/la/kernel/msm-3.10
 commit b7b99e55bc7770187913ed092990852ea52d7892;
 updated subject]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9741303/)
Reviewed-on: https://chromium-review.googlesource.com/517423
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
Reviewed-on: https://chromium-review.googlesource.com/517317
(cherry picked from commit 6eea2a7519579f14f1837e977068ea28ad98fd77)
Reviewed-on: https://chromium-review.googlesource.com/539018

[modify] https://crrev.com/4cadce96717f61964ae1260f00a8e552a5443ac1/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 28 by bugdroid1@chromium.org, Jun 16 2017

Labels: merge-merged-release-R60-9592.B-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cbb25c782fdbbacfe5d80cead14c88e4109a596c

commit cbb25c782fdbbacfe5d80cead14c88e4109a596c
Author: Robb Glasser <rglasser@google.com>
Date: Fri Jun 16 22:01:34 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG= chromium:724785 
TEST=Build and run

Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
Signed-off-by: Robb Glasser <rglasser@google.com>
[groeck: cherry picked from
 https://source.codeaurora.org/quic/la/kernel/msm-3.10
 commit b7b99e55bc7770187913ed092990852ea52d7892;
 updated subject]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9741303/)
Reviewed-on: https://chromium-review.googlesource.com/517423
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
Reviewed-on: https://chromium-review.googlesource.com/539013

[modify] https://crrev.com/cbb25c782fdbbacfe5d80cead14c88e4109a596c/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 29 by bugdroid1@chromium.org, Jun 16 2017

Labels: merge-merged-release-R60-9592.B-chromeos-3.10
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ca21acbc97a460aa818d648d96fa59c60a02eb73

commit ca21acbc97a460aa818d648d96fa59c60a02eb73
Author: Robb Glasser <rglasser@google.com>
Date: Fri Jun 16 22:01:38 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG= chromium:724785 
TEST=Build and run

Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
Signed-off-by: Robb Glasser <rglasser@google.com>
[groeck: cherry picked from
 https://source.codeaurora.org/quic/la/kernel/msm-3.10
 commit b7b99e55bc7770187913ed092990852ea52d7892;
 updated subject]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9741303/)
Reviewed-on: https://chromium-review.googlesource.com/517423
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
Reviewed-on: https://chromium-review.googlesource.com/517318
(cherry picked from commit c5ae3f3e6b83d51564db8197439a04644f3ce2a7)
Reviewed-on: https://chromium-review.googlesource.com/539019

[modify] https://crrev.com/ca21acbc97a460aa818d648d96fa59c60a02eb73/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 30 by bugdroid1@chromium.org, Jun 16 2017

Labels: merge-merged-release-R59-9460.B-chromeos-3.10
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d57d4d4bad0736fdc5d41849e7fc203ea194503a

commit d57d4d4bad0736fdc5d41849e7fc203ea194503a
Author: Robb Glasser <rglasser@google.com>
Date: Fri Jun 16 22:01:43 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG= chromium:724785 
TEST=Build and run

Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
Signed-off-by: Robb Glasser <rglasser@google.com>
[groeck: cherry picked from
 https://source.codeaurora.org/quic/la/kernel/msm-3.10
 commit b7b99e55bc7770187913ed092990852ea52d7892;
 updated subject]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9741303/)
Reviewed-on: https://chromium-review.googlesource.com/517423
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
Reviewed-on: https://chromium-review.googlesource.com/517318
(cherry picked from commit c5ae3f3e6b83d51564db8197439a04644f3ce2a7)
Reviewed-on: https://chromium-review.googlesource.com/539020

[modify] https://crrev.com/d57d4d4bad0736fdc5d41849e7fc203ea194503a/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 31 by bugdroid1@chromium.org, Jun 16 2017

Labels: merge-merged-release-R59-9460.B-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/230c208d12ba93d76aeb71179fdd4f5651267e02

commit 230c208d12ba93d76aeb71179fdd4f5651267e02
Author: Robb Glasser <rglasser@google.com>
Date: Fri Jun 16 22:01:46 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG= chromium:724785 
TEST=Build and run

Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
Signed-off-by: Robb Glasser <rglasser@google.com>
[groeck: cherry picked from
 https://source.codeaurora.org/quic/la/kernel/msm-3.10
 commit b7b99e55bc7770187913ed092990852ea52d7892;
 updated subject]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9741303/)
Reviewed-on: https://chromium-review.googlesource.com/517423
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
Reviewed-on: https://chromium-review.googlesource.com/517316
(cherry picked from commit d57fda44257ae0e898a530d9537e65f3a74ef861)
Reviewed-on: https://chromium-review.googlesource.com/539016

[modify] https://crrev.com/230c208d12ba93d76aeb71179fdd4f5651267e02/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 32 by bugdroid1@chromium.org, Jun 16 2017

Labels: merge-merged-release-R59-9460.B-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/773ce9e4027772940c3eb61c6e9269118a53a598

commit 773ce9e4027772940c3eb61c6e9269118a53a598
Author: Robb Glasser <rglasser@google.com>
Date: Fri Jun 16 22:01:50 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG= chromium:724785 
TEST=Build and run

Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
Signed-off-by: Robb Glasser <rglasser@google.com>
[groeck: cherry picked from
 https://source.codeaurora.org/quic/la/kernel/msm-3.10
 commit b7b99e55bc7770187913ed092990852ea52d7892;
 updated subject]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9741303/)
Reviewed-on: https://chromium-review.googlesource.com/517423
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
Reviewed-on: https://chromium-review.googlesource.com/539014

[modify] https://crrev.com/773ce9e4027772940c3eb61c6e9269118a53a598/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 33 by bugdroid1@chromium.org, Jun 16 2017

Labels: merge-merged-release-R60-9592.B-chromeos-3.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/3e2009b890fb1f82342cb114d281d5bc756b0169

commit 3e2009b890fb1f82342cb114d281d5bc756b0169
Author: Robb Glasser <rglasser@google.com>
Date: Fri Jun 16 22:01:54 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG= chromium:724785 
TEST=Build and run

Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
Signed-off-by: Robb Glasser <rglasser@google.com>
[groeck: cherry picked from
 https://source.codeaurora.org/quic/la/kernel/msm-3.10
 commit b7b99e55bc7770187913ed092990852ea52d7892;
 updated subject]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9741303/)
Reviewed-on: https://chromium-review.googlesource.com/517423
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
Reviewed-on: https://chromium-review.googlesource.com/517317
(cherry picked from commit 6eea2a7519579f14f1837e977068ea28ad98fd77)
Reviewed-on: https://chromium-review.googlesource.com/539017

[modify] https://crrev.com/3e2009b890fb1f82342cb114d281d5bc756b0169/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 34 by sheriffbot@chromium.org, Jun 20 2017

Cc: gkihumba@google.com
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 35 by groeck@chromium.org, Jun 20 2017

Labels: -Merge-Approved-59 Arch-All

Comment 36 by groeck@chromium.org, Jun 27 2017

Status: Assigned (was: Fixed)
Reopening; fix was bad and needs to be reverted.

Comment 37 by groeck@chromium.org, Jun 27 2017

Labels: -merge-merged-chromeos-3.18 -merge-merged-chromeos-3.10 -merge-merged-chromeos-3.14 -merge-merged-chromeos-3.8 -merge-merged-chromeos-4.4 -merge-merged-release-R59-9460.B-chromeos-3.14 -merge-merged-release-R60-9592.B-chromeos-4.4 -merge-merged-release-R60-9592.B-chromeos-3.14 -merge-merged-release-R60-9592.B-chromeos-3.10 Arch-ARM
Project Member

Comment 38 by bugdroid1@chromium.org, Jun 27 2017

Labels: merge-merged-release-R59-9460.B-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c7c90b98f0a500551027b8e778f22a56b1dceabc

commit c7c90b98f0a500551027b8e778f22a56b1dceabc
Author: Guenter Roeck <groeck@chromium.org>
Date: Tue Jun 27 20:30:43 2017

Revert "FROMLIST: uvcvideo: Prevent heap overflow in uvc driver"

This reverts commit 773ce9e4027772940c3eb61c6e9269118a53a598.

Reason for revert: chromium:735776

BUG=chromium:735776
Test=Guado, with a PTZ camera, move to home position

Original change's description:
> FROMLIST: uvcvideo: Prevent heap overflow in uvc driver
> 
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
> 
> BUG= chromium:724785 
> TEST=Build and run
> 
> Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
> Signed-off-by: Robb Glasser <rglasser@google.com>
> [groeck: cherry picked from
>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
>  commit b7b99e55bc7770187913ed092990852ea52d7892;
>  updated subject]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (am from https://patchwork.kernel.org/patch/9741303/)
> Reviewed-on: https://chromium-review.googlesource.com/517423
> Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
> (cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
> Reviewed-on: https://chromium-review.googlesource.com/539014

Bug:  chromium:724785 
Change-Id: I3c1e70fb8f103fd0fc1b2ed55ce4804279508118
Reviewed-on: https://chromium-review.googlesource.com/550658
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Commit-Queue: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/c7c90b98f0a500551027b8e778f22a56b1dceabc/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 39 by bugdroid1@chromium.org, Jun 27 2017

Labels: merge-merged-release-R60-9592.B-chromeos-3.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d91bfda127624d391ebf0498f70458fc753f465a

commit d91bfda127624d391ebf0498f70458fc753f465a
Author: Guenter Roeck <groeck@chromium.org>
Date: Tue Jun 27 20:30:48 2017

Revert "FROMLIST: uvcvideo: Prevent heap overflow in uvc driver"

This reverts commit 3e2009b890fb1f82342cb114d281d5bc756b0169.

Reason for revert: chromium:735776

BUG=chromium:735776
Test=Guado, with a PTZ camera, move to home position

Original change's description:
> FROMLIST: uvcvideo: Prevent heap overflow in uvc driver
> 
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
> 
> BUG= chromium:724785 
> TEST=Build and run
> 
> Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
> Signed-off-by: Robb Glasser <rglasser@google.com>
> [groeck: cherry picked from
>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
>  commit b7b99e55bc7770187913ed092990852ea52d7892;
>  updated subject]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (am from https://patchwork.kernel.org/patch/9741303/)
> Reviewed-on: https://chromium-review.googlesource.com/517423
> Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
> (cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
> Reviewed-on: https://chromium-review.googlesource.com/517317
> (cherry picked from commit 6eea2a7519579f14f1837e977068ea28ad98fd77)
> Reviewed-on: https://chromium-review.googlesource.com/539017

Bug:  chromium:724785 
Change-Id: I47e60e8ce8f379575d06d6a1544c195aa3dc198e
Reviewed-on: https://chromium-review.googlesource.com/550657
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Commit-Queue: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/d91bfda127624d391ebf0498f70458fc753f465a/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 40 by bugdroid1@chromium.org, Jun 27 2017

Labels: merge-merged-release-R59-9460.B-chromeos-3.10
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/0fb147aa9ba1f50b82f2b275547018a531dbf4ed

commit 0fb147aa9ba1f50b82f2b275547018a531dbf4ed
Author: Guenter Roeck <groeck@chromium.org>
Date: Tue Jun 27 20:34:07 2017

Revert "FROMLIST: uvcvideo: Prevent heap overflow in uvc driver"

This reverts commit d57d4d4bad0736fdc5d41849e7fc203ea194503a.

Reason for revert: chromium:735776

BUG=chromium:735776
TEST=Guado, with a PTZ camera, move to home position

Original change's description:
> FROMLIST: uvcvideo: Prevent heap overflow in uvc driver
> 
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
> 
> BUG= chromium:724785 
> TEST=Build and run
> 
> Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
> Signed-off-by: Robb Glasser <rglasser@google.com>
> [groeck: cherry picked from
>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
>  commit b7b99e55bc7770187913ed092990852ea52d7892;
>  updated subject]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (am from https://patchwork.kernel.org/patch/9741303/)
> Reviewed-on: https://chromium-review.googlesource.com/517423
> Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
> (cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
> Reviewed-on: https://chromium-review.googlesource.com/517318
> (cherry picked from commit c5ae3f3e6b83d51564db8197439a04644f3ce2a7)
> Reviewed-on: https://chromium-review.googlesource.com/539020

Bug:  chromium:724785 
Change-Id: I8d48efd07d92eccd07f04d68ba77bb2a6ef51eab
Reviewed-on: https://chromium-review.googlesource.com/550655
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Commit-Queue: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/0fb147aa9ba1f50b82f2b275547018a531dbf4ed/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 41 by bugdroid1@chromium.org, Jun 27 2017

Labels: merge-merged-release-R60-9592.B-chromeos-3.10
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/59323350e245a47891677f0b2f9159ed0ca462e7

commit 59323350e245a47891677f0b2f9159ed0ca462e7
Author: Guenter Roeck <groeck@chromium.org>
Date: Tue Jun 27 20:34:12 2017

Revert "FROMLIST: uvcvideo: Prevent heap overflow in uvc driver"

This reverts commit ca21acbc97a460aa818d648d96fa59c60a02eb73.

Reason for revert: chromium:735776

BUG=chromium:735776
TEST=Guado, with a PTZ camera, move to home position

Original change's description:
> FROMLIST: uvcvideo: Prevent heap overflow in uvc driver
> 
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
> 
> BUG= chromium:724785 
> TEST=Build and run
> 
> Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
> Signed-off-by: Robb Glasser <rglasser@google.com>
> [groeck: cherry picked from
>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
>  commit b7b99e55bc7770187913ed092990852ea52d7892;
>  updated subject]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (am from https://patchwork.kernel.org/patch/9741303/)
> Reviewed-on: https://chromium-review.googlesource.com/517423
> Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
> (cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
> Reviewed-on: https://chromium-review.googlesource.com/517318
> (cherry picked from commit c5ae3f3e6b83d51564db8197439a04644f3ce2a7)
> Reviewed-on: https://chromium-review.googlesource.com/539019

Bug:  chromium:724785 
Change-Id: I68d4853cb10346264db24ff0962215a12f0c237b
Reviewed-on: https://chromium-review.googlesource.com/550214
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Commit-Queue: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/59323350e245a47891677f0b2f9159ed0ca462e7/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 42 by bugdroid1@chromium.org, Jun 27 2017

Labels: merge-merged-release-R59-9460.B-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/faf635b40d728e7c08d1ce7d4efb198524221364

commit faf635b40d728e7c08d1ce7d4efb198524221364
Author: Guenter Roeck <groeck@chromium.org>
Date: Tue Jun 27 20:34:22 2017

Revert "FROMLIST: uvcvideo: Prevent heap overflow in uvc driver"

This reverts commit 230c208d12ba93d76aeb71179fdd4f5651267e02.

Reason for revert: chromium:735776

BUG=chromium:735776
TEST=Guado, with a PTZ camera, move to home position

Original change's description:
> FROMLIST: uvcvideo: Prevent heap overflow in uvc driver
> 
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
> 
> BUG= chromium:724785 
> TEST=Build and run
> 
> Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
> Signed-off-by: Robb Glasser <rglasser@google.com>
> [groeck: cherry picked from
>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
>  commit b7b99e55bc7770187913ed092990852ea52d7892;
>  updated subject]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (am from https://patchwork.kernel.org/patch/9741303/)
> Reviewed-on: https://chromium-review.googlesource.com/517423
> Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
> (cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
> Reviewed-on: https://chromium-review.googlesource.com/517316
> (cherry picked from commit d57fda44257ae0e898a530d9537e65f3a74ef861)
> Reviewed-on: https://chromium-review.googlesource.com/539016

Bug:  chromium:724785 
Change-Id: Id02c85d1e7e637559c76458ce66a8c764757ced9
Reviewed-on: https://chromium-review.googlesource.com/550656
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Commit-Queue: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/faf635b40d728e7c08d1ce7d4efb198524221364/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 43 by bugdroid1@chromium.org, Jun 27 2017

Labels: merge-merged-release-R59-9460.B-chromeos-3.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b8898ba28123cfd08f8a4b29d22ffb4dd58c13d5

commit b8898ba28123cfd08f8a4b29d22ffb4dd58c13d5
Author: Guenter Roeck <groeck@chromium.org>
Date: Tue Jun 27 20:34:30 2017

Revert "FROMLIST: uvcvideo: Prevent heap overflow in uvc driver"

This reverts commit 4cadce96717f61964ae1260f00a8e552a5443ac1.

Reason for revert: chromium:735776

BUG=chromium:735776
TEST=Guado, with a PTZ camera, move to home position

Original change's description:
> FROMLIST: uvcvideo: Prevent heap overflow in uvc driver
> 
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
> 
> BUG= chromium:724785 
> TEST=Build and run
> 
> Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
> Signed-off-by: Robb Glasser <rglasser@google.com>
> [groeck: cherry picked from
>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
>  commit b7b99e55bc7770187913ed092990852ea52d7892;
>  updated subject]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (am from https://patchwork.kernel.org/patch/9741303/)
> Reviewed-on: https://chromium-review.googlesource.com/517423
> Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
> (cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
> Reviewed-on: https://chromium-review.googlesource.com/517317
> (cherry picked from commit 6eea2a7519579f14f1837e977068ea28ad98fd77)
> Reviewed-on: https://chromium-review.googlesource.com/539018

Bug:  chromium:724785 
Change-Id: I9e7cc588df3d7981884d9b540472e6b8a90fefef
Reviewed-on: https://chromium-review.googlesource.com/550213
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Commit-Queue: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/b8898ba28123cfd08f8a4b29d22ffb4dd58c13d5/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 44 by bugdroid1@chromium.org, Jun 27 2017

Labels: merge-merged-release-R60-9592.B-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/aace1482168b77033d2ab763ffdfed4ef356b242

commit aace1482168b77033d2ab763ffdfed4ef356b242
Author: Guenter Roeck <groeck@chromium.org>
Date: Tue Jun 27 20:34:34 2017

Revert "FROMLIST: uvcvideo: Prevent heap overflow in uvc driver"

This reverts commit cbb25c782fdbbacfe5d80cead14c88e4109a596c.

Reason for revert: chromium:735776

BUG=chromium:735776
TEST=Guado, with a PTZ camera, move to home position

Original change's description:
> FROMLIST: uvcvideo: Prevent heap overflow in uvc driver
> 
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
> 
> BUG= chromium:724785 
> TEST=Build and run
> 
> Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
> Signed-off-by: Robb Glasser <rglasser@google.com>
> [groeck: cherry picked from
>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
>  commit b7b99e55bc7770187913ed092990852ea52d7892;
>  updated subject]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (am from https://patchwork.kernel.org/patch/9741303/)
> Reviewed-on: https://chromium-review.googlesource.com/517423
> Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
> (cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
> Reviewed-on: https://chromium-review.googlesource.com/539013

Bug:  chromium:724785 
Change-Id: Ia3cad2dd47c5160e699290ea470ff3823452db9e
Reviewed-on: https://chromium-review.googlesource.com/550212
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Commit-Queue: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/aace1482168b77033d2ab763ffdfed4ef356b242/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 45 by bugdroid1@chromium.org, Jun 27 2017

Labels: merge-merged-release-R60-9592.B-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/70c266fc45192f9497e1492c8128d78da8fde8e2

commit 70c266fc45192f9497e1492c8128d78da8fde8e2
Author: Guenter Roeck <groeck@chromium.org>
Date: Tue Jun 27 20:39:38 2017

Revert "FROMLIST: uvcvideo: Prevent heap overflow in uvc driver"

This reverts commit 8d8cc250b226e395c06b444b17665f87d2aa71b1.

Reason for revert: chromium:735776

BUG=chromium:735776
TEST=Guado, with a PTZ camera, move to home position

Original change's description:
> FROMLIST: uvcvideo: Prevent heap overflow in uvc driver
> 
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
> 
> BUG= chromium:724785 
> TEST=Build and run
> 
> Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
> Signed-off-by: Robb Glasser <rglasser@google.com>
> [groeck: cherry picked from
>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
>  commit b7b99e55bc7770187913ed092990852ea52d7892;
>  updated subject]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (am from https://patchwork.kernel.org/patch/9741303/)
> Reviewed-on: https://chromium-review.googlesource.com/517423
> Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
> (cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
> Reviewed-on: https://chromium-review.googlesource.com/517316
> (cherry picked from commit d57fda44257ae0e898a530d9537e65f3a74ef861)
> Reviewed-on: https://chromium-review.googlesource.com/539015

Bug:  chromium:724785 
Change-Id: Id1644d4d8173e9bf69e4d7c11c86a2a026ce3206
Reviewed-on: https://chromium-review.googlesource.com/550210
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Commit-Queue: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/70c266fc45192f9497e1492c8128d78da8fde8e2/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 46 by bugdroid1@chromium.org, Jun 27 2017

Labels: merge-merged-release-R59-9460.B-chromeos-3.8
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/92ff9c49ce22ff94fe2f58bafe6584349743a089

commit 92ff9c49ce22ff94fe2f58bafe6584349743a089
Author: Guenter Roeck <groeck@chromium.org>
Date: Tue Jun 27 20:39:42 2017

Revert "FROMLIST: uvcvideo: Prevent heap overflow in uvc driver"

This reverts commit dde476141a4e6c7c464c857a44864fd28c3c1974.

Reason for revert: chromium:735776

BUG=chromium:735776
TEST=Guado, with a PTZ camera, move to home position

Original change's description:
> FROMLIST: uvcvideo: Prevent heap overflow in uvc driver
> 
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
> 
> BUG= chromium:724785 
> TEST=Build and run
> 
> Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
> Signed-off-by: Robb Glasser <rglasser@google.com>
> [groeck: cherry picked from
>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
>  commit b7b99e55bc7770187913ed092990852ea52d7892;
>  updated subject]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (am from https://patchwork.kernel.org/patch/9741303/)
> Reviewed-on: https://chromium-review.googlesource.com/517423
> Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
> (cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
> Reviewed-on: https://chromium-review.googlesource.com/517318
> (cherry picked from commit c5ae3f3e6b83d51564db8197439a04644f3ce2a7)
> Reviewed-on: https://chromium-review.googlesource.com/517319
> (cherry picked from commit b0a8a139832abc95077c6020842b8368f88fbf24)
> Reviewed-on: https://chromium-review.googlesource.com/539021

Bug:  chromium:724785 
Change-Id: I3a2889b4fbfdef511898ec420987c2c83433d81c
Reviewed-on: https://chromium-review.googlesource.com/550211
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Commit-Queue: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/92ff9c49ce22ff94fe2f58bafe6584349743a089/drivers/media/usb/uvc/uvc_ctrl.c

Comment 47 by groeck@chromium.org, Jun 27 2017 

From chromium:735776:

When reading b/33300353, they have a revert pending:
https://partner-android-review.googlesource.com/#/c/826375/
And another version proposed by an external contributor due to a regression:
https://partner-android-review.googlesource.com/#/c/826336/
Project Member

Comment 48 by bugdroid1@chromium.org, Jun 28 2017

Labels: merge-merged-chromeos-3.10
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/474eee892c2ee2c2830f9b9e06c39a6fa0a4e6a0

commit 474eee892c2ee2c2830f9b9e06c39a6fa0a4e6a0
Author: Guenter Roeck <groeck@chromium.org>
Date: Wed Jun 28 00:56:13 2017

Revert "FROMLIST: uvcvideo: Prevent heap overflow in uvc driver"

This reverts commit c5ae3f3e6b83d51564db8197439a04644f3ce2a7.

Reason for revert: chromium:735776

BUG=chromium:735776
TEST=Guado, with a PTZ camera, move to home position

Original change's description:
> FROMLIST: uvcvideo: Prevent heap overflow in uvc driver
>
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
>
> BUG= chromium:724785 
> TEST=Build and run
>
> Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
> Signed-off-by: Robb Glasser <rglasser@google.com>
> [groeck: cherry picked from
>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
>  commit b7b99e55bc7770187913ed092990852ea52d7892;
>  updated subject]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (am from https://patchwork.kernel.org/patch/9741303/)
> Reviewed-on: https://chromium-review.googlesource.com/517423
> Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
> (cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
> Reviewed-on: https://chromium-review.googlesource.com/517318

Bug:  chromium:724785 
Change-Id: Ic47d443d41a8e5fbf2a8a360f6290ce161e9e85a
Reviewed-on: https://chromium-review.googlesource.com/550207
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/474eee892c2ee2c2830f9b9e06c39a6fa0a4e6a0/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 49 by bugdroid1@chromium.org, Jun 28 2017

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d0be8d66fc3533b682f609b6df5aa248f73c3a3a

commit d0be8d66fc3533b682f609b6df5aa248f73c3a3a
Author: Guenter Roeck <groeck@chromium.org>
Date: Wed Jun 28 00:56:14 2017

Revert "FROMLIST: uvcvideo: Prevent heap overflow in uvc driver"

This reverts commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391.

Reason for revert: chromium:735776

BUG=chromium:735776
TEST=Guado, with a PTZ camera, move to home position

Original change's description:
> FROMLIST: uvcvideo: Prevent heap overflow in uvc driver
>
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
>
> BUG= chromium:724785 
> TEST=Build and run
>
> Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
> Signed-off-by: Robb Glasser <rglasser@google.com>
> [groeck: cherry picked from
>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
>  commit b7b99e55bc7770187913ed092990852ea52d7892;
>  updated subject]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (am from https://patchwork.kernel.org/patch/9741303/)
> Reviewed-on: https://chromium-review.googlesource.com/517423
> Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

Bug:  chromium:724785 
Change-Id: I9bd26639548219722187e263dc7c1f8287910a9b
Reviewed-on: https://chromium-review.googlesource.com/550204
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/d0be8d66fc3533b682f609b6df5aa248f73c3a3a/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 50 by bugdroid1@chromium.org, Jun 28 2017

Labels: merge-merged-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b43d262a8f22a72b9debfdd3bf167d9d16d06570

commit b43d262a8f22a72b9debfdd3bf167d9d16d06570
Author: Guenter Roeck <groeck@chromium.org>
Date: Wed Jun 28 00:56:12 2017

Revert "FROMLIST: uvcvideo: Prevent heap overflow in uvc driver"

This reverts commit d57fda44257ae0e898a530d9537e65f3a74ef861.

Reason for revert: chromium:735776

BUG=chromium:735776
TEST=Guado, with a PTZ camera, move to home position

Original change's description:
> FROMLIST: uvcvideo: Prevent heap overflow in uvc driver
>
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
>
> BUG= chromium:724785 
> TEST=Build and run
>
> Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
> Signed-off-by: Robb Glasser <rglasser@google.com>
> [groeck: cherry picked from
>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
>  commit b7b99e55bc7770187913ed092990852ea52d7892;
>  updated subject]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (am from https://patchwork.kernel.org/patch/9741303/)
> Reviewed-on: https://chromium-review.googlesource.com/517423
> Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
> (cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
> Reviewed-on: https://chromium-review.googlesource.com/517316

Bug:  chromium:724785 
Change-Id: Id91901f4e7f24680b60c7ada7d7876aa63b91eb2
Reviewed-on: https://chromium-review.googlesource.com/550205
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/b43d262a8f22a72b9debfdd3bf167d9d16d06570/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 51 by sheriffbot@chromium.org, Jun 28 2017

Labels: -Security_Impact-Beta Security_Impact-Stable
Project Member

Comment 52 by bugdroid1@chromium.org, Jun 28 2017

Labels: merge-merged-chromeos-3.8
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/03c52a281b3f3496e470418b1729c579e1069575

commit 03c52a281b3f3496e470418b1729c579e1069575
Author: Guenter Roeck <groeck@chromium.org>
Date: Wed Jun 28 15:51:49 2017

Revert "FROMLIST: uvcvideo: Prevent heap overflow in uvc driver"

This reverts commit b0a8a139832abc95077c6020842b8368f88fbf24.

Reason for revert: chromium:735776

BUG=chromium:735776
TEST=Guado, with a PTZ camera, move to home position

Original change's description:
> FROMLIST: uvcvideo: Prevent heap overflow in uvc driver
>
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
>
> BUG= chromium:724785 
> TEST=Build and run
>
> Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
> Signed-off-by: Robb Glasser <rglasser@google.com>
> [groeck: cherry picked from
>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
>  commit b7b99e55bc7770187913ed092990852ea52d7892;
>  updated subject]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (am from https://patchwork.kernel.org/patch/9741303/)
> Reviewed-on: https://chromium-review.googlesource.com/517423
> Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
> (cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
> Reviewed-on: https://chromium-review.googlesource.com/517318
> (cherry picked from commit c5ae3f3e6b83d51564db8197439a04644f3ce2a7)
> Reviewed-on: https://chromium-review.googlesource.com/517319

Bug:  chromium:724785 
Change-Id: I92a52240f855c7670be34cf49c539739b479bb59
Reviewed-on: https://chromium-review.googlesource.com/550209
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/03c52a281b3f3496e470418b1729c579e1069575/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 53 by bugdroid1@chromium.org, Jun 30 2017

Labels: merge-merged-chromeos-3.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8c3348722d05cdc134aeeb2bb1da63f6992b8bfe

commit 8c3348722d05cdc134aeeb2bb1da63f6992b8bfe
Author: Guenter Roeck <groeck@chromium.org>
Date: Fri Jun 30 23:02:51 2017

Revert "FROMLIST: uvcvideo: Prevent heap overflow in uvc driver"

This reverts commit 6eea2a7519579f14f1837e977068ea28ad98fd77.

Reason for revert: chromium:735776

BUG=chromium:735776
TEST=Guado, with a PTZ camera, move to home position

Original change's description:
> FROMLIST: uvcvideo: Prevent heap overflow in uvc driver
>
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
>
> BUG= chromium:724785 
> TEST=Build and run
>
> Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
> Signed-off-by: Robb Glasser <rglasser@google.com>
> [groeck: cherry picked from
>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
>  commit b7b99e55bc7770187913ed092990852ea52d7892;
>  updated subject]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (am from https://patchwork.kernel.org/patch/9741303/)
> Reviewed-on: https://chromium-review.googlesource.com/517423
> Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
> (cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
> Reviewed-on: https://chromium-review.googlesource.com/517317

Bug:  chromium:724785 
Change-Id: I66d4ec8a6d19b05e09de3dcdc543cc1b9d95b7de
Reviewed-on: https://chromium-review.googlesource.com/550206
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/8c3348722d05cdc134aeeb2bb1da63f6992b8bfe/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 54 by bugdroid1@chromium.org, Jun 30 2017

Labels: merge-merged-chromeos-3.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8c3348722d05cdc134aeeb2bb1da63f6992b8bfe

commit 8c3348722d05cdc134aeeb2bb1da63f6992b8bfe
Author: Guenter Roeck <groeck@chromium.org>
Date: Fri Jun 30 23:02:51 2017

Revert "FROMLIST: uvcvideo: Prevent heap overflow in uvc driver"

This reverts commit 6eea2a7519579f14f1837e977068ea28ad98fd77.

Reason for revert: chromium:735776

BUG=chromium:735776
TEST=Guado, with a PTZ camera, move to home position

Original change's description:
> FROMLIST: uvcvideo: Prevent heap overflow in uvc driver
>
> The size of uvc_control_mapping is user controlled leading to a
> potential heap overflow in the uvc driver. This adds a check to verify
> the user provided size fits within the bounds of the defined buffer
> size.
>
> BUG= chromium:724785 
> TEST=Build and run
>
> Change-Id: Ie7d07814a8c5384d3c7bc1f2570f62775e771b42
> Signed-off-by: Robb Glasser <rglasser@google.com>
> [groeck: cherry picked from
>  https://source.codeaurora.org/quic/la/kernel/msm-3.10
>  commit b7b99e55bc7770187913ed092990852ea52d7892;
>  updated subject]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (am from https://patchwork.kernel.org/patch/9741303/)
> Reviewed-on: https://chromium-review.googlesource.com/517423
> Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
> (cherry picked from commit 7ddb4bdd8712a3a00fc8efe22586eadb75b27391)
> Reviewed-on: https://chromium-review.googlesource.com/517317

Bug:  chromium:724785 
Change-Id: I66d4ec8a6d19b05e09de3dcdc543cc1b9d95b7de
Reviewed-on: https://chromium-review.googlesource.com/550206
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/8c3348722d05cdc134aeeb2bb1da63f6992b8bfe/drivers/media/usb/uvc/uvc_ctrl.c

Comment 55 by gkihumba@google.com, Jul 5 2017 

Can we mark this as fixed?

Comment 56 by groeck@chromium.org, Jul 5 2017

Labels: -merge-merged-chromeos-3.18 -merge-merged-chromeos-3.10 -merge-merged-chromeos-3.14 -merge-merged-chromeos-3.8 -merge-merged-chromeos-4.4 -merge-merged-release-R59-9460.B-chromeos-3.18 -merge-merged-release-R59-9460.B-chromeos-3.14 -merge-merged-release-R59-9460.B-chromeos-4.4 -merge-merged-release-R59-9460.B-chromeos-3.8 -merge-merged-release-R60-9592.B-chromeos-3.18 -merge-merged-release-R60-9592.B-chromeos-4.4 -merge-merged-release-R60-9592.B-chromeos-3.14 -merge-merged-release-R60-9592.B-chromeos-3.10 Arch-MIPS Arch-ARM64

Comment 57 by groeck@chromium.org, Jul 5 2017 

No, because the fix was broken and had to be reverted.

Comment 58 by groeck@chromium.org, Jul 6 2017

Labels: -M-59 M-60
Given the low severity of this bug (2.6/10.0), moving target to M-60.
Project Member

Comment 59 by bugdroid1@chromium.org, Jul 19 2017

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/aec5026d95ff8a19c0e64ed97c1df847df3bd1a4

commit aec5026d95ff8a19c0e64ed97c1df847df3bd1a4
Author: Guenter Roeck <linux@roeck-us.net>
Date: Wed Jul 19 19:34:32 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG=b:33300353,  chromium:724785 
TEST=Guado, with a PTZ camera, move to home position

Change-Id: I1064e9041f49638183d42dfb174260bc166eb3a2
Originally-from: Richard Simmons <rssimmo@amazon.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9820061/)
Reviewed-on: https://chromium-review.googlesource.com/550755
Reviewed-by: Sean Paul <seanpaul@google.com>

[modify] https://crrev.com/aec5026d95ff8a19c0e64ed97c1df847df3bd1a4/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 60 by bugdroid1@chromium.org, Jul 19 2017

Labels: merge-merged-chromeos-3.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/dd42daf1f0f4307e3d9db1868f28502979d0d38f

commit dd42daf1f0f4307e3d9db1868f28502979d0d38f
Author: Guenter Roeck <linux@roeck-us.net>
Date: Wed Jul 19 23:26:55 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG=b:33300353,  chromium:724785 
TEST=Guado, with a PTZ camera, move to home position

Change-Id: I1064e9041f49638183d42dfb174260bc166eb3a2
Originally-from: Richard Simmons <rssimmo@amazon.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9820061/)
Reviewed-on: https://chromium-review.googlesource.com/550977

[modify] https://crrev.com/dd42daf1f0f4307e3d9db1868f28502979d0d38f/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 61 by bugdroid1@chromium.org, Jul 19 2017

Labels: merge-merged-chromeos-3.10
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5cd84256857d35236ba1920eb80d2ce5f0ef4fd9

commit 5cd84256857d35236ba1920eb80d2ce5f0ef4fd9
Author: Guenter Roeck <linux@roeck-us.net>
Date: Wed Jul 19 23:26:54 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG=b:33300353,  chromium:724785 
TEST=Guado, with a PTZ camera, move to home position

Change-Id: I1064e9041f49638183d42dfb174260bc166eb3a2
Originally-from: Richard Simmons <rssimmo@amazon.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9820061/)
Reviewed-on: https://chromium-review.googlesource.com/550978

[modify] https://crrev.com/5cd84256857d35236ba1920eb80d2ce5f0ef4fd9/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 62 by bugdroid1@chromium.org, Jul 20 2017

Labels: merge-merged-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/554078ef636ce359592a30342d2b843378066ada

commit 554078ef636ce359592a30342d2b843378066ada
Author: Guenter Roeck <linux@roeck-us.net>
Date: Thu Jul 20 02:03:53 2017

FROMLIST: uvcvideo: Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

BUG=b:33300353,  chromium:724785 
TEST=Guado, with a PTZ camera, move to home position

Change-Id: I1064e9041f49638183d42dfb174260bc166eb3a2
Originally-from: Richard Simmons <rssimmo@amazon.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/9820061/)
Reviewed-on: https://chromium-review.googlesource.com/550976

[modify] https://crrev.com/554078ef636ce359592a30342d2b843378066ada/drivers/media/usb/uvc/uvc_ctrl.c
Project Member

Comment 63 by sheriffbot@chromium.org, Jul 21 2017 

groeck: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 64 by groeck@chromium.org, Jul 21 2017

Status: Fixed (was: Assigned)
Project Member

Comment 65 by sheriffbot@chromium.org, Oct 28 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 66 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Sign in to add a comment