CVE-2024-36895

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: uvc: use correct buffer size when parsing configfs lists<br /> <br /> This commit fixes uvc gadget support on 32-bit platforms.<br /> <br /> Commit 0df28607c5cb ("usb: gadget: uvc: Generalise helper functions for<br /> reuse") introduced a helper function __uvcg_iter_item_entries() to aid<br /> with parsing lists of items on configfs attributes stores. This function<br /> is a generalization of another very similar function, which used a<br /> stack-allocated temporary buffer of fixed size for each item in the list<br /> and used the sizeof() operator to check for potential buffer overruns.<br /> The new function was changed to allocate the now variably sized temp<br /> buffer on heap, but wasn&amp;#39;t properly updated to also check for max buffer<br /> size using the computed size instead of sizeof() operator.<br /> <br /> As a result, the maximum item size was 7 (plus null terminator) on<br /> 64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just<br /> barely enough, 3 is definitely too small for some of UVC configfs<br /> attributes. For example, dwFrameInteval, specified in 100ns units,<br /> usually has 6-digit item values, e.g. 166666 for 60fps.