[PATCH 3.18 77/85] media: v4l2-compat-ioctl32: prevent go past max size

From: Greg Kroah-Hartman
Date: Sun Jul 01 2018 - 12:14:32 EST


3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxxxxx>

commit ea72fbf588ac9c017224dcdaa2019ff52ca56fee upstream.

As warned by smatch:
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:879 put_v4l2_ext_controls32() warn: check for integer overflow 'count'

The access_ok() logic should check for too big arrays too.

Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -856,7 +856,7 @@ static int put_v4l2_ext_controls32(struc
get_user(kcontrols, &kp->controls))
return -EFAULT;

- if (!count)
+ if (!count || count > (U32_MAX/sizeof(*ucontrols)))
return 0;
if (get_user(p, &up->controls))
return -EFAULT;