From: Dan Carpenter <dan.carpenter@oracle.com>
To: Salvatore Bonaccorso <carnil@debian.org>,
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>
Cc: Linus Torvalds <torvalds@linuxfoundation.org>,
Stefan Richter <stefanr@s5r6.in-berlin.de>,
Luo Likang <luolikang@nsfocus.com>,
Linux Media Mailing List <linux-media@vger.kernel.org>,
linux1394-devel@lists.sourceforge.net,
Yang Yanchao <yangyanchao6@huawei.com>,
Security Officers <security@kernel.org>
Subject: [PATCH] media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt()
Date: Mon, 11 Oct 2021 12:42:48 +0300 [thread overview]
Message-ID: <20211011094248.GO2083@kadam> (raw)
In-Reply-To: <YWPh9zin9JuQinwd@eldamar.lan>
The bounds checking in avc_ca_pmt() is not strict enough. It should
be checking "read_pos + 4" because it's reading 5 bytes. If the
"es_info_length" is non-zero then it reads a 6th byte so there needs to
be an additional check for that.
I also added checks for the "write_pos". I don't think these are
required because "read_pos" and "write_pos" are tied together so
checking one ought to be enough. But they make the code easier to
understand for me. The check on write_pos is:
if (write_pos + 4 >= sizeof(c->operand) - 4) {
The first "+ 4" is because we're writing 5 bytes and the last " - 4"
is to leave space for the CRC.
The other problem is that "length" can be invalid. It comes from
"data_length" in fdtv_ca_pmt().
Cc: stable@vger.kernel.org
Reported-by: Luo Likang <luolikang@nsfocus.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
---
Cherry picked from linux-next.
drivers/media/firewire/firedtv-avc.c | 14 +++++++++++---
drivers/media/firewire/firedtv-ci.c | 2 ++
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
index 2bf9467b917d..71991f8638e6 100644
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c
@@ -1165,7 +1165,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
read_pos += program_info_length;
write_pos += program_info_length;
}
- while (read_pos < length) {
+ while (read_pos + 4 < length) {
+ if (write_pos + 4 >= sizeof(c->operand) - 4) {
+ ret = -EINVAL;
+ goto out;
+ }
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
@@ -1177,13 +1181,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
c->operand[write_pos++] = es_info_length >> 8;
c->operand[write_pos++] = es_info_length & 0xff;
if (es_info_length > 0) {
+ if (read_pos >= length) {
+ ret = -EINVAL;
+ goto out;
+ }
pmt_cmd_id = msg[read_pos++];
if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
dev_err(fdtv->device, "invalid pmt_cmd_id %d at stream level\n",
pmt_cmd_id);
- if (es_info_length > sizeof(c->operand) - 4 -
- write_pos) {
+ if (es_info_length > sizeof(c->operand) - 4 - write_pos ||
+ es_info_length > length - read_pos) {
ret = -EINVAL;
goto out;
}
diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c
index 9363d005e2b6..e0d57e09dab0 100644
--- a/drivers/media/firewire/firedtv-ci.c
+++ b/drivers/media/firewire/firedtv-ci.c
@@ -134,6 +134,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg)
} else {
data_length = msg->msg[3];
}
+ if (data_length > sizeof(msg->msg) - data_pos)
+ return -EINVAL;
return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length);
}
--
2.20.1
next prev parent reply other threads:[~2021-10-11 9:43 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <000001d73031$d5304480$7f90cd80$@nsfocus.com>
2021-04-14 8:57 ` [PATCH] media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt() Dan Carpenter
2021-04-19 21:42 ` Kees Cook
2021-06-07 15:23 ` [PATCH v2] " Dan Carpenter
2021-07-16 9:28 ` Petr Mladek
2021-07-19 10:25 ` [PATCH] " Dan Carpenter
2021-07-29 10:32 ` Greg KH
2021-08-16 7:01 ` Salvatore Bonaccorso
2021-08-16 7:27 ` [PATCH v2 RESEND] " Dan Carpenter
2021-09-01 10:40 ` Dan Carpenter
2021-09-12 13:14 ` Salvatore Bonaccorso
2021-09-12 18:26 ` Linus Torvalds
2021-09-13 2:50 ` Michael Ellerman
2021-09-13 13:23 ` Mauro Carvalho Chehab
2021-09-19 18:45 ` Salvatore Bonaccorso
2021-10-11 7:04 ` Salvatore Bonaccorso
2021-10-11 9:42 ` Dan Carpenter [this message]
2021-06-07 7:38 [PATCH] media firewire firedtv-avc " Yang Yanchao
-- strict thread matches above, loose matches on Subject: below --
2021-06-07 7:39 Yang Yanchao
2021-06-07 9:26 ` Greg KH
2021-06-07 14:28 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211011094248.GO2083@kadam \
--to=dan.carpenter@oracle.com \
--cc=carnil@debian.org \
--cc=hverkuil-cisco@xs4all.nl \
--cc=linux-media@vger.kernel.org \
--cc=linux1394-devel@lists.sourceforge.net \
--cc=luolikang@nsfocus.com \
--cc=mchehab+huawei@kernel.org \
--cc=security@kernel.org \
--cc=stefanr@s5r6.in-berlin.de \
--cc=torvalds@linuxfoundation.org \
--cc=yangyanchao6@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.