Re: [PATCH v2 RESEND] media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt()

From: Salvatore Bonaccorso <carnil@debian.org>
To: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
	Linus Torvalds <torvalds@linuxfoundation.org>,
	Stefan Richter <stefanr@s5r6.in-berlin.de>,
	Luo Likang <luolikang@nsfocus.com>,
	Linux Media Mailing List <linux-media@vger.kernel.org>,
	linux1394-devel@lists.sourceforge.net,
	Yang Yanchao <yangyanchao6@huawei.com>,
	Security Officers <security@kernel.org>
Subject: Re: [PATCH v2 RESEND] media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt()
Date: Mon, 11 Oct 2021 09:04:23 +0200	[thread overview]
Message-ID: <YWPh9zin9JuQinwd@eldamar.lan> (raw)
In-Reply-To: <YUeFVpGsWFpSPUsM@eldamar.lan>

Hi,

On Sun, Sep 19, 2021 at 08:45:42PM +0200, Salvatore Bonaccorso wrote:
> Hi Dan,
> 
> On Mon, Sep 13, 2021 at 03:23:02PM +0200, Mauro Carvalho Chehab wrote:
> > Em Sun, 12 Sep 2021 11:26:10 -0700
> > Linus Torvalds <torvalds@linuxfoundation.org> escreveu:
> > 
> > > On Sun, Sep 12, 2021 at 6:14 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
> > > >
> > > > On Wed, Sep 01, 2021 at 01:40:26PM +0300, Dan Carpenter wrote:  
> > > > > On Mon, Aug 16, 2021 at 10:27:22AM +0300, Dan Carpenter wrote:  
> > > > > > The bounds checking in avc_ca_pmt() is not strict enough.  It should
> > > > > > be checking "read_pos + 4" because it's reading 5 bytes.  If the
> > > > > > "es_info_length" is non-zero then it reads a 6th byte so there needs to
> > > > > > be an additional check for that.
> > > > > >
> > > > > > I also added checks for the "write_pos".  I don't think these are
> > > > > > required because "read_pos" and "write_pos" are tied together so
> > > > > > checking one ought to be enough.  
> > > 
> > > They may be in sync at a fixed offset, but the buffer length of the
> > > read ("int length") is not in sync with the buffer length for the
> > > write ("sizeof(c->operand)").
> > > 
> > > So I do think the write pos limit checking is actually necessary and needed.
> > > 
> > > > > > RESEND: this patch got lost somehow.  
> > > > >
> > > > > What the heck?  Someone on patchwork just marked this patch as obsolete
> > > > > again!!!  
> > > 
> > > Can we please make sure patchwork has some logging so that that kind
> > > of thing shows _who_ did this?
> > 
> > I've been wanting a feature like that on patchwork for years. Basically,
> > when there's more then a single person capable of accessing a patchwork
> > instance, there's no way to log who changed the status, nor to control who
> > can delegate a patch to someone else or not.
> > 
> > At least for me, touching patchwork is very hard, as the the entire login
> > logic, as well as the database model itself, is abstracted by Django. So,
> > I can't simply change a SQL insert clause there to add something else to
> > their logs nor to change the sent email that it is pushed when a patch
> > status changed.
> > 
> > I ended adding an internal log to indicate when I do some changes on my
> > patchwork instance via script a couple of years ago.
> > 
> > > > Someone knows what is going on here, i.e. what is the problem?  
> > > 
> > > Dan, can you just send that fix to me directly, with the fixed commit
> > > message (see above), and we can close this.
> > 
> > Feel free to add my:
> > 
> > 	Acked-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
> 
> I'm sorry for prodding again, I guess I'm becoming a bit annoying :-/
> 
> Dan, could you sent the patch with the above to Linus directly so it
> can show up in at least 5.15-rc3? I guess it's now to late for
> 5.15-rc2.

It looks this is still not yet applied up to 5.15-rc5, if I'm not
mistaken.

Regards,
Salvatore