From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Jozef Balga <jozef.balga@gmail.com>,
Mauro Carvalho Chehab <mchehab+samsung@kernel.org>,
Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH AUTOSEL 3.18 1/4] media: af9035: prevent buffer overflow on write
Date: Mon, 8 Oct 2018 11:27:46 -0400 [thread overview]
Message-ID: <20181008152749.71018-1-sashal@kernel.org> (raw)
From: Jozef Balga <jozef.balga@gmail.com>
[ Upstream commit 312f73b648626a0526a3aceebb0a3192aaba05ce ]
When less than 3 bytes are written to the device, memcpy is called with
negative array size which leads to buffer overflow and kernel panic. This
patch adds a condition and returns -EOPNOTSUPP instead.
Fixes bugzilla issue 64871
[mchehab+samsung@kernel.org: fix a merge conflict and changed the
condition to match the patch's comment, e. g. len == 3 could
also be valid]
Signed-off-by: Jozef Balga <jozef.balga@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
drivers/media/usb/dvb-usb-v2/af9035.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/dvb-usb-v2/af9035.c b/drivers/media/usb/dvb-usb-v2/af9035.c
index 1896ab218b11..efc1545bf29e 100644
--- a/drivers/media/usb/dvb-usb-v2/af9035.c
+++ b/drivers/media/usb/dvb-usb-v2/af9035.c
@@ -389,8 +389,10 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap,
msg[0].addr == (state->af9033_i2c_addr[1] >> 1))
reg |= 0x100000;
- ret = af9035_wr_regs(d, reg, &msg[0].buf[3],
- msg[0].len - 3);
+ ret = (msg[0].len >= 3) ? af9035_wr_regs(d, reg,
+ &msg[0].buf[3],
+ msg[0].len - 3)
+ : -EOPNOTSUPP;
} else {
/* I2C write */
u8 buf[MAX_XFER_SIZE];
--
2.17.1
next reply other threads:[~2018-10-08 15:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-08 15:27 Sasha Levin [this message]
2018-10-08 15:27 ` [PATCH AUTOSEL 3.18 2/4] RISC-V: include linux/ftrace.h in asm-prototypes.h Sasha Levin
2018-10-08 15:27 ` [PATCH AUTOSEL 3.18 3/4] powerpc/tm: Fix userspace r13 corruption Sasha Levin
2018-10-08 15:27 ` [PATCH AUTOSEL 3.18 4/4] powerpc/tm: Avoid possible userspace r1 corruption on reclaim Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181008152749.71018-1-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alexander.levin@microsoft.com \
--cc=jozef.balga@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab+samsung@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.