releases/3.10.85/cx24116-fix-a-buffer-overflow-when-checking-userspace-params.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 1fa2337a315a2448c5434f41e00d56b01a22283c Mon Sep 17 00:00:00 2001
 From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
 Date: Tue, 28 Apr 2015 18:51:17 -0300
 Subject: [media] cx24116: fix a buffer overflow when checking userspace params

 From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

 commit 1fa2337a315a2448c5434f41e00d56b01a22283c upstream.

 The maximum size for a DiSEqC command is 6, according to the
 userspace API. However, the code allows to write up much more values:
 	drivers/media/dvb-frontends/cx24116.c:983 cx24116_send_diseqc_msg() error: buffer overflow 'd->msg' 6 <= 23

 Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/media/dvb-frontends/cx24116.c |    8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)

 --- a/drivers/media/dvb-frontends/cx24116.c
 +++ b/drivers/media/dvb-frontends/cx24116.c
 @@ -963,6 +963,10 @@ static int cx24116_send_diseqc_msg(struc
  	struct cx24116_state *state = fe->demodulator_priv;
  	int i, ret;

 +	/* Validate length */
 +	if (d->msg_len > sizeof(d->msg))
 +                return -EINVAL;
 +
  	/* Dump DiSEqC message */
  	if (debug) {
  		printk(KERN_INFO "cx24116: %s(", __func__);
 @@ -974,10 +978,6 @@ static int cx24116_send_diseqc_msg(struc
  		printk(") toneburst=%d\n", toneburst);
  	}

 -	/* Validate length */
 -	if (d->msg_len > (CX24116_ARGLEN - CX24116_DISEQC_MSGOFS))
 -		return -EINVAL;
 -
  	/* DiSEqC message */
  	for (i = 0; i < d->msg_len; i++)
  		state->dsec_cmd.args[CX24116_DISEQC_MSGOFS + i] = d->msg[i];
	From 1fa2337a315a2448c5434f41e00d56b01a22283c Mon Sep 17 00:00:00 2001
	From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
	Date: Tue, 28 Apr 2015 18:51:17 -0300
	Subject: [media] cx24116: fix a buffer overflow when checking userspace params

	From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

	commit 1fa2337a315a2448c5434f41e00d56b01a22283c upstream.

	The maximum size for a DiSEqC command is 6, according to the
	userspace API. However, the code allows to write up much more values:
	drivers/media/dvb-frontends/cx24116.c:983 cx24116_send_diseqc_msg() error: buffer overflow 'd->msg' 6 <= 23

	Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/media/dvb-frontends/cx24116.c \| 8 ++++----
	1 file changed, 4 insertions(+), 4 deletions(-)

	--- a/drivers/media/dvb-frontends/cx24116.c
	+++ b/drivers/media/dvb-frontends/cx24116.c
	@@ -963,6 +963,10 @@ static int cx24116_send_diseqc_msg(struc
	struct cx24116_state *state = fe->demodulator_priv;
	int i, ret;

	+ /* Validate length */
	+ if (d->msg_len > sizeof(d->msg))
	+ return -EINVAL;
	+
	/* Dump DiSEqC message */
	if (debug) {
	printk(KERN_INFO "cx24116: %s(", __func__);
	@@ -974,10 +978,6 @@ static int cx24116_send_diseqc_msg(struc
	printk(") toneburst=%d\n", toneburst);
	}

	- /* Validate length */
	- if (d->msg_len > (CX24116_ARGLEN - CX24116_DISEQC_MSGOFS))
	- return -EINVAL;
	-
	/* DiSEqC message */
	for (i = 0; i < d->msg_len; i++)
	state->dsec_cmd.args[CX24116_DISEQC_MSGOFS + i] = d->msg[i];