From: Greg Kroah-Hartman Date: Tue, 16 Dec 2008 23:36:01 +0000 (-0800) Subject: another .27 patch X-Git-Tag: v2.6.27.10~4 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=94e4f44d443036cf4f4c1641ba9f7132087f2d2f;p=thirdparty%2Fkernel%2Fstable-queue.git another .27 patch --- diff --git a/queue-2.6.27/series b/queue-2.6.27/series index 5fa45140675..f01e4bd8576 100644 --- a/queue-2.6.27/series +++ b/queue-2.6.27/series @@ -18,3 +18,4 @@ ieee1394-add-quirk-fix-for-freecom-hdd.patch sunrpc-fix-a-performance-regression-in-the-rpc-authentication-code.patch b1isa-fix-b1isa_exit-to-really-remove-registered-capi-controllers.patch macfb-do-not-overflow-fb_fix_screeninfo.id.patch +v4l-dvb-avoid-writing-outside-shadow.bytes-array.patch diff --git a/queue-2.6.27/v4l-dvb-avoid-writing-outside-shadow.bytes-array.patch b/queue-2.6.27/v4l-dvb-avoid-writing-outside-shadow.bytes-array.patch new file mode 100644 index 00000000000..f93f2c2cb4b --- /dev/null +++ b/queue-2.6.27/v4l-dvb-avoid-writing-outside-shadow.bytes-array.patch @@ -0,0 +1,84 @@ +From 494264379d186bf806613d27aafb7d88d42f4212 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Thu, 13 Nov 2008 17:03:28 -0300 +Subject: V4L/DVB (9621): Avoid writing outside shadow.bytes[] array + +From: Mauro Carvalho Chehab + +commit 494264379d186bf806613d27aafb7d88d42f4212 upstream. + +There were no check about the limits of shadow.bytes array. This offers +a risk of writing values outside the limits, overriding other data +areas. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/tvaudio.c | 30 +++++++++++++++++++++++++++--- + 1 file changed, 27 insertions(+), 3 deletions(-) + +--- a/drivers/media/video/tvaudio.c ++++ b/drivers/media/video/tvaudio.c +@@ -152,7 +152,7 @@ static int chip_write(struct CHIPSTATE * + { + unsigned char buffer[2]; + +- if (-1 == subaddr) { ++ if (subaddr < 0) { + v4l_dbg(1, debug, chip->c, "%s: chip_write: 0x%x\n", + chip->c->name, val); + chip->shadow.bytes[1] = val; +@@ -163,6 +163,13 @@ static int chip_write(struct CHIPSTATE * + return -1; + } + } else { ++ if (subaddr + 1 >= ARRAY_SIZE(chip->shadow.bytes)) { ++ v4l_info(chip->c, ++ "Tried to access a non-existent register: %d\n", ++ subaddr); ++ return -EINVAL; ++ } ++ + v4l_dbg(1, debug, chip->c, "%s: chip_write: reg%d=0x%x\n", + chip->c->name, subaddr, val); + chip->shadow.bytes[subaddr+1] = val; +@@ -177,12 +184,20 @@ static int chip_write(struct CHIPSTATE * + return 0; + } + +-static int chip_write_masked(struct CHIPSTATE *chip, int subaddr, int val, int mask) ++static int chip_write_masked(struct CHIPSTATE *chip, ++ int subaddr, int val, int mask) + { + if (mask != 0) { +- if (-1 == subaddr) { ++ if (subaddr < 0) { + val = (chip->shadow.bytes[1] & ~mask) | (val & mask); + } else { ++ if (subaddr + 1 >= ARRAY_SIZE(chip->shadow.bytes)) { ++ v4l_info(chip->c, ++ "Tried to access a non-existent register: %d\n", ++ subaddr); ++ return -EINVAL; ++ } ++ + val = (chip->shadow.bytes[subaddr+1] & ~mask) | (val & mask); + } + } +@@ -228,6 +243,15 @@ static int chip_cmd(struct CHIPSTATE *ch + if (0 == cmd->count) + return 0; + ++ if (cmd->count + cmd->bytes[0] - 1 >= ARRAY_SIZE(chip->shadow.bytes)) { ++ v4l_info(chip->c, ++ "Tried to access a non-existent register range: %d to %d\n", ++ cmd->bytes[0] + 1, cmd->bytes[0] + cmd->count - 1); ++ return -EINVAL; ++ } ++ ++ /* FIXME: it seems that the shadow bytes are wrong bellow !*/ ++ + /* update our shadow register set; print bytes if (debug > 0) */ + v4l_dbg(1, debug, chip->c, "%s: chip_cmd(%s): reg=%d, data:", + chip->c->name, name,cmd->bytes[0]);