Linux Media Controller development
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: manjunath.hadli@ti.com
Cc: linux-media@vger.kernel.org
Subject: [bug report] [media] davinci: vpfe: add v4l2 video driver support
Date: Wed, 1 May 2019 11:27:59 +0300	[thread overview]
Message-ID: <20190501082759.GA13767@mwanda> (raw)

[ This is really old, but it looks like a potentially serious security
  bug so we probably want to fix it.  -dan ]

Hello Manjunath Hadli,

The patch 622897da67b3: "[media] davinci: vpfe: add v4l2 video driver
support" from Nov 28, 2012, leads to the following static checker
warning:

	drivers/staging/media/davinci_vpfe/vpfe_video.c:871 vpfe_s_input()
	warn: uncapped user index 'sdinfo->routes[index]'

drivers/staging/media/davinci_vpfe/vpfe_video.c
   821  /*
   822   * vpfe_s_input() - set input which is pointed by input index
   823   * @file: file pointer
   824   * @priv: void pointer
   825   * @index: pointer to unsigned int
   826   *
   827   * set input on external subdev
   828   *
   829   * Return 0 on success, error code otherwise
   830   */
   831  static int vpfe_s_input(struct file *file, void *priv, unsigned int index)
                                                               ^^^^^^^^^^^^^^^^^^
index comes from __video_do_ioctl() -> v4l_s_input() -> vpfe_s_input().
It hasn't been checked.

   832  {
   833          struct vpfe_video_device *video = video_drvdata(file);
   834          struct vpfe_device *vpfe_dev = video->vpfe_dev;
   835          struct vpfe_ext_subdev_info *sdinfo;
   836          struct vpfe_route *route;
   837          struct v4l2_input *inps;
   838          u32 output;
   839          u32 input;
   840          int ret;
   841          int i;
   842  
   843          v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, "vpfe_s_input\n");
   844  
   845          ret = mutex_lock_interruptible(&video->lock);
   846          if (ret)
   847                  return ret;
   848          /*
   849           * If streaming is started return device busy
   850           * error
   851           */
   852          if (video->started) {
   853                  v4l2_err(&vpfe_dev->v4l2_dev, "Streaming is on\n");
   854                  ret = -EBUSY;
   855                  goto unlock_out;
   856          }
   857  
   858          sdinfo = video->current_ext_subdev;
   859          if (!sdinfo->registered) {
   860                  ret = -EINVAL;
   861                  goto unlock_out;
   862          }
   863          if (vpfe_dev->cfg->setup_input &&
   864                  vpfe_dev->cfg->setup_input(sdinfo->grp_id) < 0) {
   865                  ret = -EFAULT;
   866                  v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev,
   867                            "couldn't setup input for %s\n",
   868                            sdinfo->module_name);
   869                  goto unlock_out;
   870          }
   871          route = &sdinfo->routes[index];

We're potentially reading out of bounds here.  The problem is that we
don't store the size of the ->routes[] array anywhere (it has a sentinal
at the end) so I'm not sure what to check against.

Please CC me on the fix.

   872          if (route && sdinfo->can_route) {
   873                  input = route->input;
   874                  output = route->output;
   875                  ret = v4l2_device_call_until_err(&vpfe_dev->v4l2_dev,
   876                                                   sdinfo->grp_id, video,
   877                                                   s_routing, input, output, 0);
   878                  if (ret) {
   879                          v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev,
   880                                  "s_input:error in setting input in decoder\n");
   881                          ret = -EINVAL;
   882                          goto unlock_out;
   883                  }
   884          }
   885          /* set standards set by subdev in video device */
   886          for (i = 0; i < sdinfo->num_inputs; i++) {
   887                  inps = &sdinfo->inputs[i];
   888                  video->video_dev.tvnorms |= inps->std;
   889          }
   890          video->current_input = index;
   891  unlock_out:
   892          mutex_unlock(&video->lock);
   893          return ret;
   894  }

regards,
dan carpenter

                 reply	other threads:[~2019-05-01  8:28 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190501082759.GA13767@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=linux-media@vger.kernel.org \
    --cc=manjunath.hadli@ti.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox