| From a6d5a8ade4c76866a6da5e98d243602556fe88ed Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Sat, 30 May 2020 16:42:08 +0200 |
| Subject: media: pci: ttpci: av7110: fix possible buffer overflow caused by bad |
| DMA value in debiirq() |
| |
| From: Jia-Ju Bai <baijiaju@tsinghua.edu.cn> |
| |
| [ Upstream commit 6499a0db9b0f1e903d52f8244eacc1d4be00eea2 ] |
| |
| The value av7110->debi_virt is stored in DMA memory, and it is assigned |
| to data, and thus data[0] can be modified at any time by malicious |
| hardware. In this case, "if (data[0] < 2)" can be passed, but then |
| data[0] can be changed into a large number, which may cause buffer |
| overflow when the code "av7110->ci_slot[data[0]]" is used. |
| |
| To fix this possible bug, data[0] is assigned to a local variable, which |
| replaces the use of data[0]. |
| |
| Signed-off-by: Jia-Ju Bai <baijiaju@tsinghua.edu.cn> |
| Signed-off-by: Sean Young <sean@mess.org> |
| Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/media/pci/ttpci/av7110.c | 5 +++-- |
| 1 file changed, 3 insertions(+), 2 deletions(-) |
| |
| diff --git a/drivers/media/pci/ttpci/av7110.c b/drivers/media/pci/ttpci/av7110.c |
| index 382caf200ba16..c313f51688f44 100644 |
| --- a/drivers/media/pci/ttpci/av7110.c |
| +++ b/drivers/media/pci/ttpci/av7110.c |
| @@ -426,14 +426,15 @@ static void debiirq(unsigned long cookie) |
| case DATA_CI_GET: |
| { |
| u8 *data = av7110->debi_virt; |
| + u8 data_0 = data[0]; |
| |
| - if ((data[0] < 2) && data[2] == 0xff) { |
| + if (data_0 < 2 && data[2] == 0xff) { |
| int flags = 0; |
| if (data[5] > 0) |
| flags |= CA_CI_MODULE_PRESENT; |
| if (data[5] > 5) |
| flags |= CA_CI_MODULE_READY; |
| - av7110->ci_slot[data[0]].flags = flags; |
| + av7110->ci_slot[data_0].flags = flags; |
| } else |
| ci_get_data(&av7110->ci_rbuffer, |
| av7110->debi_virt, |
| -- |
| 2.25.1 |
| |
