]>
Commit | Line | Data |
---|---|---|
1143c684 SL |
1 | From d06cc526cc78f6bbdbfc944aea133c2a7ccc5b3b Mon Sep 17 00:00:00 2001 |
2 | From: Dan Carpenter <dan.carpenter@oracle.com> | |
3 | Date: Mon, 8 Apr 2019 05:52:38 -0400 | |
4 | Subject: media: pvrusb2: Prevent a buffer overflow | |
5 | ||
6 | [ Upstream commit c1ced46c7b49ad7bc064e68d966e0ad303f917fb ] | |
7 | ||
8 | The ctrl_check_input() function is called from pvr2_ctrl_range_check(). | |
9 | It's supposed to validate user supplied input and return true or false | |
10 | depending on whether the input is valid or not. The problem is that | |
11 | negative shifts or shifts greater than 31 are undefined in C. In | |
12 | practice with GCC they result in shift wrapping so this function returns | |
13 | true for some inputs which are not valid and this could result in a | |
14 | buffer overflow: | |
15 | ||
16 | drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname() | |
17 | warn: uncapped user index 'names[val]' | |
18 | ||
19 | The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create() | |
20 | and the highest valid bit is BIT(4). | |
21 | ||
22 | Fixes: 7fb20fa38caa ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability") | |
23 | ||
24 | Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> | |
25 | Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> | |
26 | Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> | |
27 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
28 | --- | |
29 | drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 ++ | |
30 | drivers/media/usb/pvrusb2/pvrusb2-hdw.h | 1 + | |
31 | 2 files changed, 3 insertions(+) | |
32 | ||
33 | diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c | |
34 | index 0533ef20decfe..232b0fd3e4784 100644 | |
35 | --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c | |
36 | +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c | |
37 | @@ -670,6 +670,8 @@ static int ctrl_get_input(struct pvr2_ctrl *cptr,int *vp) | |
38 | ||
39 | static int ctrl_check_input(struct pvr2_ctrl *cptr,int v) | |
40 | { | |
41 | + if (v < 0 || v > PVR2_CVAL_INPUT_MAX) | |
42 | + return 0; | |
43 | return ((1 << v) & cptr->hdw->input_allowed_mask) != 0; | |
44 | } | |
45 | ||
46 | diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h | |
47 | index a82a00dd73293..80869990ffbbb 100644 | |
48 | --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h | |
49 | +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h | |
50 | @@ -54,6 +54,7 @@ | |
51 | #define PVR2_CVAL_INPUT_COMPOSITE 2 | |
52 | #define PVR2_CVAL_INPUT_SVIDEO 3 | |
53 | #define PVR2_CVAL_INPUT_RADIO 4 | |
54 | +#define PVR2_CVAL_INPUT_MAX PVR2_CVAL_INPUT_RADIO | |
55 | ||
56 | enum pvr2_config { | |
57 | pvr2_config_empty, /* No configuration */ | |
58 | -- | |
59 | 2.20.1 | |
60 |