BUG in av7110_vbi

public inbox for linux-media@vger.kernel.org
 help / color / mirror / Atom feed

* BUG in av7110_vbi_write()
@ 2009-05-13 21:53 e9hack
  2009-05-14 11:44 ` Oliver Endriss
  0 siblings, 1 reply; 3+ messages in thread
From: e9hack @ 2009-05-13 21:53 UTC (permalink / raw)
  To: linux-media; +Cc: Oliver Endriss

Hi,

it seems there is a bug in av7110_vbi_write() (av7110_v4l.c). If an user mode application
tries to write more bytes than the size of the structure v4l2_slices_vbi_data,
copy_from_user() will overwrite parts of the kernel stack.

Regards,
Hartmut

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: BUG in av7110_vbi_write()
  2009-05-13 21:53 BUG in av7110_vbi_write() e9hack
@ 2009-05-14 11:44 ` Oliver Endriss
  2009-05-14 22:56   ` e9hack
  0 siblings, 1 reply; 3+ messages in thread
From: Oliver Endriss @ 2009-05-14 11:44 UTC (permalink / raw)
  To: e9hack; +Cc: linux-media

e9hack wrote:
> Hi,
> 
> it seems there is a bug in av7110_vbi_write() (av7110_v4l.c). If an user mode application
> tries to write more bytes than the size of the structure v4l2_slices_vbi_data,
> copy_from_user() will overwrite parts of the kernel stack.

No, it cannot happen:

|        if (FW_VERSION(av7110->arm_app) < 0x2623 || !av7110->wssMode || count != sizeof d)
|                return -EINVAL;
|        if (copy_from_user(&d, data, count))
|                return -EFAULT;

copy_from_user() will only be called if count == sizeof d.

CU
Oliver

-- 
----------------------------------------------------------------
VDR Remote Plugin 0.4.0: http://www.escape-edv.de/endriss/vdr/
----------------------------------------------------------------

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: BUG in av7110_vbi_write()
  2009-05-14 11:44 ` Oliver Endriss
@ 2009-05-14 22:56   ` e9hack
  0 siblings, 0 replies; 3+ messages in thread
From: e9hack @ 2009-05-14 22:56 UTC (permalink / raw)
  To: linux-media

Oliver Endriss schrieb:
> copy_from_user() will only be called if count == sizeof d.

Ooops, I didn't see that.

Regards,
Hartmut

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2009-05-14 22:56 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-05-13 21:53 BUG in av7110_vbi_write() e9hack
2009-05-14 11:44 ` Oliver Endriss
2009-05-14 22:56   ` e9hack

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox