From c107f07931cd5694aa54b96b4f50b544649d08dd Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Fri, 7 Feb 2025 09:44:18 -0500 Subject: [PATCH 1/2] media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format jira VULN-9667 cve CVE-2024-53104 commit-author Benoit Sevens commit ecf2b43018da9579842c774b7f35dbe11b5c38dd This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in uvc_parse_streaming. Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") Signed-off-by: Benoit Sevens Cc: stable@vger.kernel.org Acked-by: Greg Kroah-Hartman Reviewed-by: Laurent Pinchart Signed-off-by: Hans Verkuil (cherry picked from commit ecf2b43018da9579842c774b7f35dbe11b5c38dd) Signed-off-by: Brett Mastbergen --- drivers/media/usb/uvc/uvc_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index d509a4a2f08e9..50b7ca55fbabc 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -672,7 +672,7 @@ static int uvc_parse_format(struct uvc_device *dev, * Parse the frame descriptors. Only uncompressed, MJPEG and frame * based formats have frame descriptors. */ - while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && + while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && buffer[2] == ftype) { frame = &format->frame[format->nframes]; if (ftype != UVC_VS_FRAME_FRAME_BASED) From 2b64cea1afb578e148eb059facf6b4815bac401e Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Thu, 16 Jan 2025 19:09:24 -0500 Subject: [PATCH 2/2] github actions: Reduce Pull Request openness Since the kernel builds are very expensive we only want to run the workflows associated with them is by approval of staff / maintainers of the kernel. There was a miss understanding initially that pull_request_target was required to get access to the code. --- .github/workflows/build-check_aarch64.yml | 2 +- .github/workflows/build-check_x86_64.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-check_aarch64.yml b/.github/workflows/build-check_aarch64.yml index f1e6401156036..9bcb0587db44c 100644 --- a/.github/workflows/build-check_aarch64.yml +++ b/.github/workflows/build-check_aarch64.yml @@ -1,6 +1,6 @@ name: aarch64 CI on: - pull_request_target: + pull_request: branches: - '**' - '!mainline' diff --git a/.github/workflows/build-check_x86_64.yml b/.github/workflows/build-check_x86_64.yml index 97f9fc567dc13..2bf53a9f70f6e 100644 --- a/.github/workflows/build-check_x86_64.yml +++ b/.github/workflows/build-check_x86_64.yml @@ -1,6 +1,6 @@ name: x86_64 CI on: - pull_request_target: + pull_request: branches: - '**' - '!mainline'