From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0ECAFC433E6 for ; Sat, 29 Aug 2020 21:24:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E641E20776 for ; Sat, 29 Aug 2020 21:24:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728525AbgH2VYo (ORCPT ); Sat, 29 Aug 2020 17:24:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60194 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728384AbgH2VYn (ORCPT ); Sat, 29 Aug 2020 17:24:43 -0400 Received: from gofer.mess.org (gofer.mess.org [IPv6:2a02:8011:d000:212::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 47A8EC061573; Sat, 29 Aug 2020 14:24:43 -0700 (PDT) Received: by gofer.mess.org (Postfix, from userid 1000) id AB734C638A; Sat, 29 Aug 2020 22:24:35 +0100 (BST) Date: Sat, 29 Aug 2020 22:24:35 +0100 From: Sean Young To: Laurent Pinchart Cc: Pavel Machek , Sasha Levin , linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jia-Ju Bai , Mauro Carvalho Chehab , linux-media@vger.kernel.org Subject: Re: [PATCH AUTOSEL 4.19 08/38] media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq() Message-ID: <20200829212435.GA9195@gofer.mess.org> References: <20200821161807.348600-1-sashal@kernel.org> <20200821161807.348600-8-sashal@kernel.org> <20200829121020.GA20944@duo.ucw.cz> <20200829171600.GA7465@pendragon.ideasonboard.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200829171600.GA7465@pendragon.ideasonboard.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Aug 29, 2020 at 08:16:00PM +0300, Laurent Pinchart wrote: > On Sat, Aug 29, 2020 at 02:10:20PM +0200, Pavel Machek wrote: > > Hi! > > > > > The value av7110->debi_virt is stored in DMA memory, and it is assigned > > > to data, and thus data[0] can be modified at any time by malicious > > > hardware. In this case, "if (data[0] < 2)" can be passed, but then > > > data[0] can be changed into a large number, which may cause buffer > > > overflow when the code "av7110->ci_slot[data[0]]" is used. > > > > > > To fix this possible bug, data[0] is assigned to a local variable, which > > > replaces the use of data[0]. > > > > I'm pretty sure hardware capable of manipulating memory can work > > around any such checks, but... > > > > > +++ b/drivers/media/pci/ttpci/av7110.c > > > @@ -424,14 +424,15 @@ static void debiirq(unsigned long cookie) > > > case DATA_CI_GET: > > > { > > > u8 *data = av7110->debi_virt; > > > + u8 data_0 = data[0]; > > > > > > - if ((data[0] < 2) && data[2] == 0xff) { > > > + if (data_0 < 2 && data[2] == 0xff) { > > > int flags = 0; > > > if (data[5] > 0) > > > flags |= CA_CI_MODULE_PRESENT; > > > if (data[5] > 5) > > > flags |= CA_CI_MODULE_READY; > > > - av7110->ci_slot[data[0]].flags = flags; > > > + av7110->ci_slot[data_0].flags = flags; > > > > This does not even do what it says. Compiler is still free to access > > data[0] multiple times. It needs READ_ONCE() to be effective. > > Yes, it seems quite dubious to me. If we *really* want to guard against > rogue hardware here, the whole DMA buffer should be copied. I don't > think it's worth it, a rogue PCI device can do much more harm. That is a good point. I'm not sure what the kernel could do to protect against a malicious PCI device (that can do dma) so this patch is totally pointless. Thanks Sean