From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:47163 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754943AbbG3AZY (ORCPT ); Wed, 29 Jul 2015 20:25:24 -0400 Subject: Patch "[media] cx24116: fix a buffer overflow when checking userspace params" has been added to the 4.1-stable tree To: mchehab@osg.samsung.com, gregkh@linuxfoundation.org Cc: , From: Date: Wed, 29 Jul 2015 17:25:22 -0700 Message-ID: <14382159228121@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled [media] cx24116: fix a buffer overflow when checking userspace params to the 4.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: cx24116-fix-a-buffer-overflow-when-checking-userspace-params.patch and it can be found in the queue-4.1 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 1fa2337a315a2448c5434f41e00d56b01a22283c Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Tue, 28 Apr 2015 18:51:17 -0300 Subject: [media] cx24116: fix a buffer overflow when checking userspace params From: Mauro Carvalho Chehab commit 1fa2337a315a2448c5434f41e00d56b01a22283c upstream. The maximum size for a DiSEqC command is 6, according to the userspace API. However, the code allows to write up much more values: drivers/media/dvb-frontends/cx24116.c:983 cx24116_send_diseqc_msg() error: buffer overflow 'd->msg' 6 <= 23 Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- drivers/media/dvb-frontends/cx24116.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/drivers/media/dvb-frontends/cx24116.c +++ b/drivers/media/dvb-frontends/cx24116.c @@ -963,6 +963,10 @@ static int cx24116_send_diseqc_msg(struc struct cx24116_state *state = fe->demodulator_priv; int i, ret; + /* Validate length */ + if (d->msg_len > sizeof(d->msg)) + return -EINVAL; + /* Dump DiSEqC message */ if (debug) { printk(KERN_INFO "cx24116: %s(", __func__); @@ -974,10 +978,6 @@ static int cx24116_send_diseqc_msg(struc printk(") toneburst=%d\n", toneburst); } - /* Validate length */ - if (d->msg_len > (CX24116_ARGLEN - CX24116_DISEQC_MSGOFS)) - return -EINVAL; - /* DiSEqC message */ for (i = 0; i < d->msg_len; i++) state->dsec_cmd.args[CX24116_DISEQC_MSGOFS + i] = d->msg[i]; Patches currently in stable-queue which might be from mchehab@osg.samsung.com are queue-4.1/media-fix-regression-in-some-more-dib0700-based-devices.patch queue-4.1/cx24116-fix-a-buffer-overflow-when-checking-userspace-params.patch queue-4.1/saa7164-fix-querycap-warning.patch queue-4.1/vb2-don-t-warn-when-v4l2_buffer.bytesused-is-0-for-multiplanar-buffers.patch queue-4.1/s5h1420-fix-a-buffer-overflow-when-checking-userspace-params.patch queue-4.1/rc-core-fix-dib0700-scancode-generation-for-rc5.patch queue-4.1/cx24117-fix-a-buffer-overflow-when-checking-userspace-params.patch queue-4.1/af9013-don-t-accept-invalid-bandwidth.patch queue-4.1/cx18-add-missing-caps-for-the-pcm-video-device.patch