Re: [PATCH] Prevent buffer overflow in UVC Gadget setup handler
From: Szymon Heidrich
Date: Thu Dec 01 2022 - 07:44:43 EST
On 01/12/2022 13:28, Greg Kroah-Hartman wrote:
> On Thu, Dec 01, 2022 at 01:21:41PM +0100, Szymon Heidrich wrote:
>> Setup function uvc_function_setup permits control transfer
>> requests with up to 64 bytes of payload (UVC_MAX_REQUEST_SIZE),
>> data stage handler for OUT transfer uses memcpy to copy req->actual
>> bytes to uvc_event->data.data array of size 60. This may result
>> in an overflow of 4 bytes.
>>
>> Signed-off-by: Szymon Heidrich <szymon.heidrich@xxxxxxxxx>
>> ---
>> drivers/usb/gadget/function/f_uvc.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> What commit id does this fix? Is it needed for stable kernels?
>
> thanks,
>
> greg k-h
As far as I understand this would be the original commit so cdda479f15cd13fa50a913ca85129c0437cc7b91.
I guess that it is also needed for stable kernels, yet please correct me if I'm wrong.
Best regards,
Szymon