From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5621DC433E1 for ; Fri, 21 Aug 2020 17:21:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 29E5F20738 for ; Fri, 21 Aug 2020 17:21:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598030493; bh=SF7cbSp+8aJt7HKiEK1+h754VI5LCsyUECgtetCo9QU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=WP0amoiNdS/Y3TSzR4K2bIVignRixpMgHrcRM09z/3BTPUC8y6/vuNAho94UhRrI7 RQwNZ9wat8sHcitw1X51YoLSpxha8smC4y4QglN/hkzNTIpsoSr9PClcrHtHs7ARY0 PeqcEO7Kf1X6DgSiHp8sJekgg7o95s290Ea2zNGM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729017AbgHURV1 (ORCPT ); Fri, 21 Aug 2020 13:21:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:48370 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728023AbgHUQQC (ORCPT ); Fri, 21 Aug 2020 12:16:02 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1317A21741; Fri, 21 Aug 2020 16:16:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598026561; bh=SF7cbSp+8aJt7HKiEK1+h754VI5LCsyUECgtetCo9QU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=O8Psq1iZ2OvyUlFiZBIhYbGURShiyJu/Fmkl9iECSoAlRY3FV3T6Ml1BMrwZnNdxk JdVtjf3cCfuSKID2UGY00JZPtIdxd0DxE9iXW1s3IeEtjYdmlmQ5zvGSq0CnUnNIvQ ZBAK8Rvi/sNEjNx/xnsoS8ddT1a6bKR5LChG1Hs0= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Jia-Ju Bai , Sean Young , Mauro Carvalho Chehab , Sasha Levin , linux-media@vger.kernel.org Subject: [PATCH AUTOSEL 5.7 13/61] media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq() Date: Fri, 21 Aug 2020 12:14:57 -0400 Message-Id: <20200821161545.347622-13-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200821161545.347622-1-sashal@kernel.org> References: <20200821161545.347622-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jia-Ju Bai [ Upstream commit 6499a0db9b0f1e903d52f8244eacc1d4be00eea2 ] The value av7110->debi_virt is stored in DMA memory, and it is assigned to data, and thus data[0] can be modified at any time by malicious hardware. In this case, "if (data[0] < 2)" can be passed, but then data[0] can be changed into a large number, which may cause buffer overflow when the code "av7110->ci_slot[data[0]]" is used. To fix this possible bug, data[0] is assigned to a local variable, which replaces the use of data[0]. Signed-off-by: Jia-Ju Bai Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/pci/ttpci/av7110.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/media/pci/ttpci/av7110.c b/drivers/media/pci/ttpci/av7110.c index d0cdee1c6eb0b..bf36b1e22b635 100644 --- a/drivers/media/pci/ttpci/av7110.c +++ b/drivers/media/pci/ttpci/av7110.c @@ -406,14 +406,15 @@ static void debiirq(unsigned long cookie) case DATA_CI_GET: { u8 *data = av7110->debi_virt; + u8 data_0 = data[0]; - if ((data[0] < 2) && data[2] == 0xff) { + if (data_0 < 2 && data[2] == 0xff) { int flags = 0; if (data[5] > 0) flags |= CA_CI_MODULE_PRESENT; if (data[5] > 5) flags |= CA_CI_MODULE_READY; - av7110->ci_slot[data[0]].flags = flags; + av7110->ci_slot[data_0].flags = flags; } else ci_get_data(&av7110->ci_rbuffer, av7110->debi_virt, -- 2.25.1