From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Luo Likang <luolikang@nsfocus.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>,
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Subject: [PATCH 5.4 4/9] media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt()
Date: Thu, 4 Nov 2021 15:12:57 +0100 [thread overview]
Message-ID: <20211104141158.527662375@linuxfoundation.org> (raw)
In-Reply-To: <20211104141158.384397574@linuxfoundation.org>
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 35d2969ea3c7d32aee78066b1f3cf61a0d935a4e upstream.
The bounds checking in avc_ca_pmt() is not strict enough. It should
be checking "read_pos + 4" because it's reading 5 bytes. If the
"es_info_length" is non-zero then it reads a 6th byte so there needs to
be an additional check for that.
I also added checks for the "write_pos". I don't think these are
required because "read_pos" and "write_pos" are tied together so
checking one ought to be enough. But they make the code easier to
understand for me. The check on write_pos is:
if (write_pos + 4 >= sizeof(c->operand) - 4) {
The first "+ 4" is because we're writing 5 bytes and the last " - 4"
is to leave space for the CRC.
The other problem is that "length" can be invalid. It comes from
"data_length" in fdtv_ca_pmt().
Cc: stable@vger.kernel.org
Reported-by: Luo Likang <luolikang@nsfocus.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/firewire/firedtv-avc.c | 14 +++++++++++---
drivers/media/firewire/firedtv-ci.c | 2 ++
2 files changed, 13 insertions(+), 3 deletions(-)
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c
@@ -1165,7 +1165,11 @@ int avc_ca_pmt(struct firedtv *fdtv, cha
read_pos += program_info_length;
write_pos += program_info_length;
}
- while (read_pos < length) {
+ while (read_pos + 4 < length) {
+ if (write_pos + 4 >= sizeof(c->operand) - 4) {
+ ret = -EINVAL;
+ goto out;
+ }
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
@@ -1177,13 +1181,17 @@ int avc_ca_pmt(struct firedtv *fdtv, cha
c->operand[write_pos++] = es_info_length >> 8;
c->operand[write_pos++] = es_info_length & 0xff;
if (es_info_length > 0) {
+ if (read_pos >= length) {
+ ret = -EINVAL;
+ goto out;
+ }
pmt_cmd_id = msg[read_pos++];
if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
dev_err(fdtv->device, "invalid pmt_cmd_id %d at stream level\n",
pmt_cmd_id);
- if (es_info_length > sizeof(c->operand) - 4 -
- write_pos) {
+ if (es_info_length > sizeof(c->operand) - 4 - write_pos ||
+ es_info_length > length - read_pos) {
ret = -EINVAL;
goto out;
}
--- a/drivers/media/firewire/firedtv-ci.c
+++ b/drivers/media/firewire/firedtv-ci.c
@@ -134,6 +134,8 @@ static int fdtv_ca_pmt(struct firedtv *f
} else {
data_length = msg->msg[3];
}
+ if (data_length > sizeof(msg->msg) - data_pos)
+ return -EINVAL;
return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length);
}
next prev parent reply other threads:[~2021-11-04 14:16 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-04 14:12 [PATCH 5.4 0/9] 5.4.158-rc1 review Greg Kroah-Hartman
2021-11-04 14:12 ` [PATCH 5.4 1/9] scsi: core: Put LLD module refcnt after SCSI device is released Greg Kroah-Hartman
2021-11-04 14:12 ` [PATCH 5.4 2/9] vrf: Revert "Reset skb conntrack connection..." Greg Kroah-Hartman
2021-11-04 14:12 ` [PATCH 5.4 3/9] net: ethernet: microchip: lan743x: Fix skb allocation failure Greg Kroah-Hartman
2021-11-04 14:12 ` Greg Kroah-Hartman [this message]
2021-11-04 14:12 ` [PATCH 5.4 5/9] Revert "xhci: Set HCD flag to defer primary roothub registration" Greg Kroah-Hartman
2021-11-04 14:12 ` [PATCH 5.4 6/9] Revert "usb: core: hcd: Add support for deferring " Greg Kroah-Hartman
2021-11-04 14:13 ` [PATCH 5.4 7/9] sfc: Fix reading non-legacy supported link modes Greg Kroah-Hartman
2021-11-04 14:13 ` [PATCH 5.4 8/9] Revert "drm/ttm: fix memleak in ttm_transfered_destroy" Greg Kroah-Hartman
2021-11-04 14:13 ` [PATCH 5.4 9/9] ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" Greg Kroah-Hartman
2021-11-04 21:21 ` [PATCH 5.4 0/9] 5.4.158-rc1 review Florian Fainelli
2021-11-04 22:22 ` Shuah Khan
2021-11-05 11:23 ` Jon Hunter
2021-11-05 11:36 ` Naresh Kamboju
2021-11-05 12:48 ` Sudip Mukherjee
2021-11-05 15:13 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211104141158.527662375@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=hverkuil-cisco@xs4all.nl \
--cc=linux-kernel@vger.kernel.org \
--cc=luolikang@nsfocus.com \
--cc=mchehab+huawei@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.