| From dd1f1fb0beadb5a591e5ecfeb8effda0f214d1be Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Mon, 8 Apr 2019 05:52:38 -0400 |
| Subject: media: pvrusb2: Prevent a buffer overflow |
| |
| [ Upstream commit c1ced46c7b49ad7bc064e68d966e0ad303f917fb ] |
| |
| The ctrl_check_input() function is called from pvr2_ctrl_range_check(). |
| It's supposed to validate user supplied input and return true or false |
| depending on whether the input is valid or not. The problem is that |
| negative shifts or shifts greater than 31 are undefined in C. In |
| practice with GCC they result in shift wrapping so this function returns |
| true for some inputs which are not valid and this could result in a |
| buffer overflow: |
| |
| drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname() |
| warn: uncapped user index 'names[val]' |
| |
| The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create() |
| and the highest valid bit is BIT(4). |
| |
| Fixes: 7fb20fa38caa ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability") |
| |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> |
| Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 ++ |
| drivers/media/usb/pvrusb2/pvrusb2-hdw.h | 1 + |
| 2 files changed, 3 insertions(+) |
| |
| diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c |
| index 446a999dd2ce1..2bab4713bc5b9 100644 |
| --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c |
| +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c |
| @@ -666,6 +666,8 @@ static int ctrl_get_input(struct pvr2_ctrl *cptr,int *vp) |
| |
| static int ctrl_check_input(struct pvr2_ctrl *cptr,int v) |
| { |
| + if (v < 0 || v > PVR2_CVAL_INPUT_MAX) |
| + return 0; |
| return ((1 << v) & cptr->hdw->input_allowed_mask) != 0; |
| } |
| |
| diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h |
| index 25648add77e58..bd2b7a67b7322 100644 |
| --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h |
| +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h |
| @@ -50,6 +50,7 @@ |
| #define PVR2_CVAL_INPUT_COMPOSITE 2 |
| #define PVR2_CVAL_INPUT_SVIDEO 3 |
| #define PVR2_CVAL_INPUT_RADIO 4 |
| +#define PVR2_CVAL_INPUT_MAX PVR2_CVAL_INPUT_RADIO |
| |
| enum pvr2_config { |
| pvr2_config_empty, /* No configuration */ |
| -- |
| 2.20.1 |
| |