Re: [PATCH] Prevent buffer overflow in UVC Gadget setup handler

From: Greg Kroah-Hartman
Date: Thu Dec 01 2022 - 07:29:09 EST


On Thu, Dec 01, 2022 at 01:21:41PM +0100, Szymon Heidrich wrote:
> Setup function uvc_function_setup permits control transfer
> requests with up to 64 bytes of payload (UVC_MAX_REQUEST_SIZE),
> data stage handler for OUT transfer uses memcpy to copy req->actual
> bytes to uvc_event->data.data array of size 60. This may result
> in an overflow of 4 bytes.
>
> Signed-off-by: Szymon Heidrich <szymon.heidrich@xxxxxxxxx>
> ---
> drivers/usb/gadget/function/f_uvc.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)

What commit id does this fix? Is it needed for stable kernels?

thanks,

greg k-h