]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blame - queue-4.4/media-pvrusb2-prevent-a-buffer-overflow.patch
drop rdma-cma-consider-scope_id-while-binding-to-ipv6-ll-.patch from 4.4, 4.9, and...
[thirdparty/kernel/stable-queue.git] / queue-4.4 / media-pvrusb2-prevent-a-buffer-overflow.patch
CommitLineData
1143c684
SL
1From d06cc526cc78f6bbdbfc944aea133c2a7ccc5b3b Mon Sep 17 00:00:00 2001
2From: Dan Carpenter <dan.carpenter@oracle.com>
3Date: Mon, 8 Apr 2019 05:52:38 -0400
4Subject: media: pvrusb2: Prevent a buffer overflow
5
6[ Upstream commit c1ced46c7b49ad7bc064e68d966e0ad303f917fb ]
7
8The ctrl_check_input() function is called from pvr2_ctrl_range_check().
9It's supposed to validate user supplied input and return true or false
10depending on whether the input is valid or not. The problem is that
11negative shifts or shifts greater than 31 are undefined in C. In
12practice with GCC they result in shift wrapping so this function returns
13true for some inputs which are not valid and this could result in a
14buffer overflow:
15
16 drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname()
17 warn: uncapped user index 'names[val]'
18
19The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create()
20and the highest valid bit is BIT(4).
21
22Fixes: 7fb20fa38caa ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability")
23
24Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
25Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
26Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
27Signed-off-by: Sasha Levin <sashal@kernel.org>
28---
29 drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 ++
30 drivers/media/usb/pvrusb2/pvrusb2-hdw.h | 1 +
31 2 files changed, 3 insertions(+)
32
33diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
34index 0533ef20decfe..232b0fd3e4784 100644
35--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
36+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
37@@ -670,6 +670,8 @@ static int ctrl_get_input(struct pvr2_ctrl *cptr,int *vp)
38
39 static int ctrl_check_input(struct pvr2_ctrl *cptr,int v)
40 {
41+ if (v < 0 || v > PVR2_CVAL_INPUT_MAX)
42+ return 0;
43 return ((1 << v) & cptr->hdw->input_allowed_mask) != 0;
44 }
45
46diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
47index a82a00dd73293..80869990ffbbb 100644
48--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
49+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
50@@ -54,6 +54,7 @@
51 #define PVR2_CVAL_INPUT_COMPOSITE 2
52 #define PVR2_CVAL_INPUT_SVIDEO 3
53 #define PVR2_CVAL_INPUT_RADIO 4
54+#define PVR2_CVAL_INPUT_MAX PVR2_CVAL_INPUT_RADIO
55
56 enum pvr2_config {
57 pvr2_config_empty, /* No configuration */
58--
592.20.1
60