From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>,
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
Sasha Levin <sashal@kernel.org>,
linux-media@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 40/72] media: cec: silence shift wrapping warning in __cec_s_log_addrs()
Date: Mon, 8 Jun 2020 19:24:28 -0400 [thread overview]
Message-ID: <20200608232500.3369581-40-sashal@kernel.org> (raw)
In-Reply-To: <20200608232500.3369581-1-sashal@kernel.org>
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 3b5af3171e2d5a73ae6f04965ed653d039904eb6 ]
The log_addrs->log_addr_type[i] value is a u8 which is controlled by
the user and comes from the ioctl. If it's over 31 then that results in
undefined behavior (shift wrapping) and that leads to a Smatch static
checker warning. We already cap the value later so we can silence the
warning just by re-ordering the existing checks.
I think the UBSan checker will also catch this bug at runtime and
generate a warning. But otherwise the bug is harmless.
Fixes: 9881fe0ca187 ("[media] cec: add HDMI CEC framework (adapter)")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/cec/cec-adap.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c
index 0d7d687aeea0..061b7824f698 100644
--- a/drivers/media/cec/cec-adap.c
+++ b/drivers/media/cec/cec-adap.c
@@ -1624,6 +1624,10 @@ int __cec_s_log_addrs(struct cec_adapter *adap,
unsigned j;
log_addrs->log_addr[i] = CEC_LOG_ADDR_INVALID;
+ if (log_addrs->log_addr_type[i] > CEC_LOG_ADDR_TYPE_UNREGISTERED) {
+ dprintk(1, "unknown logical address type\n");
+ return -EINVAL;
+ }
if (type_mask & (1 << log_addrs->log_addr_type[i])) {
dprintk(1, "duplicate logical address type\n");
return -EINVAL;
@@ -1644,10 +1648,6 @@ int __cec_s_log_addrs(struct cec_adapter *adap,
dprintk(1, "invalid primary device type\n");
return -EINVAL;
}
- if (log_addrs->log_addr_type[i] > CEC_LOG_ADDR_TYPE_UNREGISTERED) {
- dprintk(1, "unknown logical address type\n");
- return -EINVAL;
- }
for (j = 0; j < feature_sz; j++) {
if ((features[j] & 0x80) == 0) {
if (op_is_dev_features)
--
2.25.1
next prev parent reply other threads:[~2020-06-08 23:26 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-08 23:23 [PATCH AUTOSEL 4.14 01/72] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 02/72] ath9k: Fix use-after-free Write in ath9k_htc_rx_msg Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 03/72] drm: bridge: adv7511: Extend list of audio sample rates Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 04/72] crypto: ccp -- don't "select" CONFIG_DMADEVICES Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 05/72] media: si2157: Better check for running tuner in init Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 06/72] objtool: Ignore empty alternatives Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 07/72] spi: pxa2xx: Apply CS clk quirk to BXT Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 08/72] net: ena: fix error returning in ena_com_get_hash_function() Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 09/72] spi: dw: Zero DMA Tx and Rx configurations on stack Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 10/72] ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 11/72] MIPS: Loongson: Build ATI Radeon GPU driver as module Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 12/72] Bluetooth: Add SCO fallback for invalid LMP parameters error Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 13/72] kgdb: Prevent infinite recursive entries to the debugger Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 14/72] spi: dw: Enable interrupts in accordance with DMA xfer mode Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 15/72] clocksource: dw_apb_timer: Make CPU-affiliation being optional Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 16/72] clocksource: dw_apb_timer_of: Fix missing clockevent timers Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 17/72] btrfs: do not ignore error from btrfs_next_leaf() when inserting checksums Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 18/72] ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 19/72] spi: dw: Fix Rx-only DMA transfers Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 20/72] x86/kvm/hyper-v: Explicitly align hcall param for kvm_hyperv_exit Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 21/72] net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3_get_rss() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 22/72] staging: android: ion: use vmap instead of vm_map_ram Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 23/72] ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 24/72] ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 25/72] brcmfmac: fix wrong location to get firmware feature Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 26/72] tools api fs: Make xxx__mountpoint() more scalable Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 27/72] e1000: Distribute switch variables for initialization Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 28/72] dt-bindings: display: mediatek: control dpi pins mode to avoid leakage Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 29/72] audit: fix a net reference leak in audit_send_reply() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 30/72] media: dvb: return -EREMOTEIO on i2c transfer failure Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 31/72] media: platform: fcp: Set appropriate DMA parameters Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 32/72] MIPS: Make sparse_init() using top-down allocation Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 33/72] audit: fix a net reference leak in audit_list_rules_send() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 34/72] netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 35/72] net: bcmgenet: set Rx mode before starting netif Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 36/72] lib/mpi: Fix 64-bit MIPS build with Clang Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 37/72] perf: Add cond_resched() to task_function_call() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 38/72] exit: Move preemption fixup up, move blocking operations down Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 39/72] net: lpc-enet: fix error return code in lpc_mii_init() Sasha Levin
2020-06-08 23:24 ` Sasha Levin [this message]
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 41/72] net: allwinner: Fix use correct return type for ndo_start_xmit() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 42/72] powerpc/spufs: fix copy_to_user while atomic Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 43/72] ath9k_htc: Silence undersized packet warnings Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 44/72] Crypto/chcr: fix for ccm(aes) failed test Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 45/72] MIPS: Truncate link address into 32bit for 32bit kernel Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 46/72] mips: cm: Fix an invalid error code of INTVN_*_ERR Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 47/72] kgdb: Fix spurious true from in_dbg_master() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 48/72] nvme: refine the Qemu Identify CNS quirk Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 49/72] wcn36xx: Fix error handling path in 'wcn36xx_probe()' Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 50/72] net: qed*: Reduce RX and TX default ring count when running inside kdump kernel Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 51/72] md: don't flush workqueue unconditionally in md_open Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 52/72] rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 53/72] mwifiex: Fix memory corruption in dump_station Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 54/72] x86/boot: Correct relocation destination on old linkers Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 55/72] mips: MAAR: Use more precise address mask Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 56/72] mips: Add udelay lpj numbers adjustment Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 57/72] x86/mm: Stop printing BRK addresses Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 58/72] m68k: mac: Don't call via_flush_cache() on Mac IIfx Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 59/72] macvlan: Skip loopback packets in RX handler Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 60/72] PCI: Don't disable decoding when mmio_always_on is set Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 61/72] MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 62/72] xfs: gut error handling in xfs_trans_unreserve_and_mod_sb() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 63/72] mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 64/72] staging: greybus: sdio: Respect the cmd->busy_timeout from the mmc core Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 65/72] mmc: via-sdmmc: " Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 66/72] ixgbe: fix signed-integer-overflow warning Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 67/72] mmc: sdhci-esdhc-imx: fix the mask for tuning start point Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 68/72] spi: dw: Return any value retrieved from the dma_transfer callback Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 69/72] cpuidle: Fix three reference count leaks Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 70/72] platform/x86: hp-wmi: Convert simple_strtoul() to kstrtou32() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 71/72] vxlan: Avoid infinite loop when suppressing NS messages with invalid options Sasha Levin
2020-06-08 23:25 ` [PATCH AUTOSEL 4.14 72/72] string.h: fix incompatibility between FORTIFY_SOURCE and KASAN Sasha Levin
2020-06-08 23:46 ` Daniel Axtens
2020-06-09 11:20 ` Pavel Machek
2020-06-09 11:54 ` Greg KH
2020-06-09 13:55 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200608232500.3369581-40-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dan.carpenter@oracle.com \
--cc=hverkuil-cisco@xs4all.nl \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).