From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D207B20D4E3; Tue, 12 Nov 2024 10:28:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731407307; cv=none; b=dTfydJs+0Cb7JQBOSE5dpa0JgTUgACRC9hRSKzcORNJctBMKLCG0ui7FszhjBN13mC362JckD+uWiEt2kdvRGWnwTQceZYS4F9s8ch9mqf2MTymVQebmOqMgNpiY4FUt3CDUzOjfUONdILMHll5/MPJSBBhDTO/Rxyw6ODTadRU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731407307; c=relaxed/simple; bh=x5iR/z0YbX0yFxFsl6eNX0toyyusggsmOtn5EFGGHhg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=anvVP4Ce6iQaGPcG2SI53HW9TjCxlreGJZT3Ywz2lZx75gLSZ2qgs0YbL0MKfXhPm3omyxUM97pFBzSn8daCCv6fp+uwzdRSozkOk/LSkwWWU/IxZlGuDau2kEYMncrfkELma0xhiEveeBW34W7glJw8HWzaSoqyG80eoWxJnXE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=LFk8UafQ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="LFk8UafQ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4046DC4CECD; Tue, 12 Nov 2024 10:28:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1731407307; bh=x5iR/z0YbX0yFxFsl6eNX0toyyusggsmOtn5EFGGHhg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LFk8UafQqHfTI5+WSgA2KRPT7vYhpsvQlC0JdVpJV/QyZASSMVv/2bSL7tTLpbv44 ACKjTVLE7fq/GMKsuZe+oTg7nQzbaT8A9GeHw667IpJXrVP1fKbZZHFDyxIRb5EIZF VeBoIjlU5JEdj3pvbdMBKHEqhwTfptDJVBScKfIY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Mauro Carvalho Chehab , Sasha Levin Subject: [PATCH 6.1 36/98] media: dvbdev: prevent the risk of out of memory access Date: Tue, 12 Nov 2024 11:20:51 +0100 Message-ID: <20241112101845.648386785@linuxfoundation.org> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241112101844.263449965@linuxfoundation.org> References: <20241112101844.263449965@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mauro Carvalho Chehab [ Upstream commit 972e63e895abbe8aa1ccbdbb4e6362abda7cd457 ] The dvbdev contains a static variable used to store dvb minors. The behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set or not. When not set, dvb_register_device() won't check for boundaries, as it will rely that a previous call to dvb_register_adapter() would already be enforcing it. On a similar way, dvb_device_open() uses the assumption that the register functions already did the needed checks. This can be fragile if some device ends using different calls. This also generate warnings on static check analysers like Coverity. So, add explicit guards to prevent potential risk of OOM issues. Fixes: 5dd3f3071070 ("V4L/DVB (9361): Dynamic DVB minor allocation") Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/dvb-core/dvbdev.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index 04b7ce479fc38..d1212acb70932 100644 --- a/drivers/media/dvb-core/dvbdev.c +++ b/drivers/media/dvb-core/dvbdev.c @@ -86,10 +86,15 @@ static DECLARE_RWSEM(minor_rwsem); static int dvb_device_open(struct inode *inode, struct file *file) { struct dvb_device *dvbdev; + unsigned int minor = iminor(inode); + + if (minor >= MAX_DVB_MINORS) + return -ENODEV; mutex_lock(&dvbdev_mutex); down_read(&minor_rwsem); - dvbdev = dvb_minors[iminor(inode)]; + + dvbdev = dvb_minors[minor]; if (dvbdev && dvbdev->fops) { int err = 0; @@ -529,7 +534,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, for (minor = 0; minor < MAX_DVB_MINORS; minor++) if (dvb_minors[minor] == NULL) break; - if (minor == MAX_DVB_MINORS) { + if (minor >= MAX_DVB_MINORS) { if (new_node) { list_del (&new_node->list_head); kfree(dvbdevfops); @@ -544,6 +549,14 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, } #else minor = nums2minor(adap->num, type, id); + if (minor >= MAX_DVB_MINORS) { + dvb_media_device_free(dvbdev); + list_del(&dvbdev->list_head); + kfree(dvbdev); + *pdvbdev = NULL; + mutex_unlock(&dvbdev_register_lock); + return ret; + } #endif dvbdev->minor = minor; dvb_minors[minor] = dvb_device_get(dvbdev); -- 2.43.0