From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8485CC433DF for ; Fri, 21 Aug 2020 16:45:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5C08F206DA for ; Fri, 21 Aug 2020 16:45:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598028336; bh=cUGyqRoLKLvxQhBGrRQhHCN2eGOlJljyoYCfi1tGecU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=OIL3fQieEWHaSRt3+bNJzY4LgugCli/1mLbMyqzsci2J01nHrEo820nhEYrZsl/TM Rq1fRJYl9F4ukF/PRK5eSi4rVlerEUVConX5wD26DxoUMhvZUxgH6+c3WcdukWO9FR oAG/pJRoSGYLwdkmwGdgmaVxpgzCriF24vdh6PNM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728624AbgHUQpY (ORCPT ); Fri, 21 Aug 2020 12:45:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:48870 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728382AbgHUQUm (ORCPT ); Fri, 21 Aug 2020 12:20:42 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 449A1208DB; Fri, 21 Aug 2020 16:19:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598026784; bh=cUGyqRoLKLvxQhBGrRQhHCN2eGOlJljyoYCfi1tGecU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kI+uK8+KV8nr2/z1EGQtlhO+XYgfl+rrTZmneNup7CvL/yVV4u7C2TyfzG9xEemH5 rAVPLOTiVT8Ye3N0H56/ECaMXs/eoCjkRs6uz/VLUszIg6cp7xa5r+9sexrtzpDI2D kbI8HBuJ7GVoMzGoQerD4yerH+xqBOzJVDGfheR8= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Jia-Ju Bai , Sean Young , Mauro Carvalho Chehab , Sasha Levin , linux-media@vger.kernel.org Subject: [PATCH AUTOSEL 4.9 04/26] media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq() Date: Fri, 21 Aug 2020 12:19:15 -0400 Message-Id: <20200821161938.349246-4-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200821161938.349246-1-sashal@kernel.org> References: <20200821161938.349246-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jia-Ju Bai [ Upstream commit 6499a0db9b0f1e903d52f8244eacc1d4be00eea2 ] The value av7110->debi_virt is stored in DMA memory, and it is assigned to data, and thus data[0] can be modified at any time by malicious hardware. In this case, "if (data[0] < 2)" can be passed, but then data[0] can be changed into a large number, which may cause buffer overflow when the code "av7110->ci_slot[data[0]]" is used. To fix this possible bug, data[0] is assigned to a local variable, which replaces the use of data[0]. Signed-off-by: Jia-Ju Bai Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/pci/ttpci/av7110.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/media/pci/ttpci/av7110.c b/drivers/media/pci/ttpci/av7110.c index 382caf200ba16..c313f51688f44 100644 --- a/drivers/media/pci/ttpci/av7110.c +++ b/drivers/media/pci/ttpci/av7110.c @@ -426,14 +426,15 @@ static void debiirq(unsigned long cookie) case DATA_CI_GET: { u8 *data = av7110->debi_virt; + u8 data_0 = data[0]; - if ((data[0] < 2) && data[2] == 0xff) { + if (data_0 < 2 && data[2] == 0xff) { int flags = 0; if (data[5] > 0) flags |= CA_CI_MODULE_PRESENT; if (data[5] > 5) flags |= CA_CI_MODULE_READY; - av7110->ci_slot[data[0]].flags = flags; + av7110->ci_slot[data_0].flags = flags; } else ci_get_data(&av7110->ci_rbuffer, av7110->debi_virt, -- 2.25.1