From: Yang Yanchao <yangyanchao6@huawei.com>
To: <dan.carpenter@oracle.com>
Cc: <linux-distros@vs.openwall.org>, <linux-media@vger.kernel.org>,
<linux1394-devel@lists.sourceforge.net>, <mchehab@kernel.org>,
<security@kernel.org>
Subject: [PATCH] media firewire firedtv-avc fix a buffer overflow in avc_ca_pmt()
Date: Mon, 7 Jun 2021 15:38:17 +0800 [thread overview]
Message-ID: <20210607073817.1246-1-yangyanchao6@huawei.com> (raw)
For CVE-2021-3542:
1ã€read_pos will be added four times in the patch,
so use "read_pos + 4 < length" and write_pos as well
2. The last four bits of c->operand are used for CRC,
so "sizeof (C - > operand) - 4" is used
3. "read_pos+=2" is added after the end of read_pos, so add value (read_pos >= length)
4. In order to avoid memcpy crossing the boundary, es_ info_ length > length - read_ pos
5. When the date_length is a specific input of a construction,it will cause memcpy
to exceed the boundary, "(MSG - > MSG [3] & 0x7F) + date_ length) > (sizeof(msg->msg) - 4)"
Signed-off-by: yangyanchao <yangyanchao6@huawei.com>
---
drivers/media/firewire/firedtv-avc.c | 14 +++++++++++---
drivers/media/firewire/firedtv-ci.c | 2 ++
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
index 3ef5df164..8c31cf90c 100644
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c
@@ -1169,7 +1169,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
read_pos += program_info_length;
write_pos += program_info_length;
}
- while (read_pos < length) {
+ while (read_pos + 4 < length) {
+ if (write_pos + 4 >= sizeof(c->operand) - 4) {
+ ret = -EINVAL;
+ goto out;
+ }
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
@@ -1181,13 +1185,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
c->operand[write_pos++] = es_info_length >> 8;
c->operand[write_pos++] = es_info_length & 0xff;
if (es_info_length > 0) {
+ if (read_pos >= length) {
+ ret = -EINVAL;
+ goto out;
+ }
pmt_cmd_id = msg[read_pos++];
if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
dev_err(fdtv->device, "invalid pmt_cmd_id %d at stream level\n",
pmt_cmd_id);
- if (es_info_length > sizeof(c->operand) - 4 -
- write_pos) {
+ if (es_info_length > sizeof(c->operand) - 4 - write_pos ||
+ es_info_length > length - read_pos) {
ret = -EINVAL;
goto out;
}
diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c
index 8dc5a7495..0e7ffa156 100644
--- a/drivers/media/firewire/firedtv-ci.c
+++ b/drivers/media/firewire/firedtv-ci.c
@@ -135,6 +135,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg)
data_length = 0;
for (i = 0; i < (msg->msg[3] & 0x7f); i++)
data_length = (data_length << 8) + msg->msg[data_pos++];
+ if (((msg->msg[3] & 0x7f) + date_length) > (sizeof(msg->msg) - 4))
+ return -EINVAL;
} else {
data_length = msg->msg[3];
}
--
2.23.0
next reply other threads:[~2021-06-07 7:38 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-07 7:38 Yang Yanchao [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-06-07 7:39 [PATCH] media firewire firedtv-avc fix a buffer overflow in avc_ca_pmt() Yang Yanchao
2021-06-07 9:26 ` Greg KH
2021-06-07 14:28 ` Dan Carpenter
[not found] <000001d73031$d5304480$7f90cd80$@nsfocus.com>
2021-04-14 8:57 ` [PATCH] media: firewire: firedtv-avc: " Dan Carpenter
2021-04-19 21:42 ` Kees Cook
2021-07-19 10:25 ` Dan Carpenter
2021-07-29 10:32 ` Greg KH
2021-08-16 7:01 ` Salvatore Bonaccorso
2021-08-16 7:27 ` [PATCH v2 RESEND] " Dan Carpenter
2021-09-01 10:40 ` Dan Carpenter
2021-09-12 13:14 ` Salvatore Bonaccorso
2021-09-12 18:26 ` Linus Torvalds
2021-09-13 13:23 ` Mauro Carvalho Chehab
2021-09-19 18:45 ` Salvatore Bonaccorso
2021-10-11 7:04 ` Salvatore Bonaccorso
2021-10-11 9:42 ` [PATCH] " Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210607073817.1246-1-yangyanchao6@huawei.com \
--to=yangyanchao6@huawei.com \
--cc=dan.carpenter@oracle.com \
--cc=linux-distros@vs.openwall.org \
--cc=linux-media@vger.kernel.org \
--cc=linux1394-devel@lists.sourceforge.net \
--cc=mchehab@kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.