From: Dan Carpenter <dan.carpenter@oracle.com>
To: Stefan Richter <stefanr@s5r6.in-berlin.de>,
Luo Likang <luolikang@nsfocus.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: linux-media@vger.kernel.org,
linux1394-devel@lists.sourceforge.net,
Yang Yanchao <yangyanchao6@huawei.com>,
Salvatore Bonaccorso <carnil@debian.org>,
security@kernel.org, linux-distros@vs.openwall.org
Subject: Re: [PATCH v2 RESEND] media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt()
Date: Wed, 1 Sep 2021 13:40:26 +0300 [thread overview]
Message-ID: <20210901104026.GB2129@kadam> (raw)
In-Reply-To: <20210816072721.GA10534@kili>
On Mon, Aug 16, 2021 at 10:27:22AM +0300, Dan Carpenter wrote:
> The bounds checking in avc_ca_pmt() is not strict enough. It should
> be checking "read_pos + 4" because it's reading 5 bytes. If the
> "es_info_length" is non-zero then it reads a 6th byte so there needs to
> be an additional check for that.
>
> I also added checks for the "write_pos". I don't think these are
> required because "read_pos" and "write_pos" are tied together so
> checking one ought to be enough. But they make the code easier to
> understand for me. The check on write_pos is:
>
> if (write_pos + 4 >= sizeof(c->operand) - 4) {
>
> The first "+ 4" is because we're writing 5 bytes and the last " - 4"
> is to leave space for the CRC.
>
> The other problem is that "length" can be invalid. It comes from
> "data_length" in fdtv_ca_pmt(). Added a check in fdtv_ca_pmt() to
> prevent that.
>
> Cc: stable@vger.kernel.org
> Reported-by: Luo Likang <luolikang@nsfocus.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> RESEND: this patch got lost somehow.
>
What the heck? Someone on patchwork just marked this patch as obsolete
again!!!
Mauro can you figure out who's doing that and what's going on? The
first time it was marked as obsolete then I asked about it twice, Greg
asked about it, and Salvatore Bonaccorso asked about it. But all we
get are anonymous notifications from patchwork. It's a bit frustrating.
regards,
dan carpenter
next prev parent reply other threads:[~2021-09-01 10:41 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <000001d73031$d5304480$7f90cd80$@nsfocus.com>
2021-04-14 8:57 ` [PATCH] media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt() Dan Carpenter
2021-04-19 21:42 ` Kees Cook
2021-06-07 15:23 ` [PATCH v2] " Dan Carpenter
2021-07-16 9:28 ` Petr Mladek
2021-07-19 10:25 ` [PATCH] " Dan Carpenter
2021-07-29 10:32 ` Greg KH
2021-08-16 7:01 ` Salvatore Bonaccorso
2021-08-16 7:27 ` [PATCH v2 RESEND] " Dan Carpenter
2021-09-01 10:40 ` Dan Carpenter [this message]
2021-09-12 13:14 ` Salvatore Bonaccorso
2021-09-12 18:26 ` Linus Torvalds
2021-09-13 2:50 ` Michael Ellerman
2021-09-13 13:23 ` Mauro Carvalho Chehab
2021-09-19 18:45 ` Salvatore Bonaccorso
2021-10-11 7:04 ` Salvatore Bonaccorso
2021-10-11 9:42 ` [PATCH] " Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210901104026.GB2129@kadam \
--to=dan.carpenter@oracle.com \
--cc=carnil@debian.org \
--cc=linux-distros@vs.openwall.org \
--cc=linux-media@vger.kernel.org \
--cc=linux1394-devel@lists.sourceforge.net \
--cc=luolikang@nsfocus.com \
--cc=mchehab@kernel.org \
--cc=security@kernel.org \
--cc=stefanr@s5r6.in-berlin.de \
--cc=yangyanchao6@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).