lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 27 Jan 2016 12:31:08 -0800
From:	Kamal Mostafa <kamal@...onical.com>
To:	linux-kernel@...r.kernel.org, stable@...r.kernel.org,
	kernel-team@...ts.ubuntu.com
Cc:	Laura Abbott <labbott@...oraproject.org>,
	Mauro Carvalho Chehab <mchehab@....samsung.com>,
	Kamal Mostafa <kamal@...onical.com>
Subject: [PATCH 4.2.y-ckt 007/268] [media] si2157: return -EINVAL if firmware blob is too big

4.2.8-ckt3 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Laura Abbott <labbott@...oraproject.org>

commit d2cc2f0b35465951eaaf0387fd55e29835ed7ea6 upstream.

A previous patch added a check if the firmware is too big, but it didn't
set the return error code with the right value.

[mchehab@....samsung.com: I ended by applying a v1 of Laura's patch, without
 the proper return code. This patch contains the difference between v2 and v1 of
 the Laura's "si2157: Bounds check firmware" patch]
Signed-off-by: Laura Abbott <labbott@...oraproject.org>
Reviewed-by: Olli Salonen <olli.salonen@....fi>
Tested-by: Olli Salonen <olli.salonen@....fi>

Signed-off-by: Mauro Carvalho Chehab <mchehab@....samsung.com>
Signed-off-by: Kamal Mostafa <kamal@...onical.com>
---
 drivers/media/tuners/si2157.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c
index 416c865..27241de 100644
--- a/drivers/media/tuners/si2157.c
+++ b/drivers/media/tuners/si2157.c
@@ -168,6 +168,7 @@ static int si2157_init(struct dvb_frontend *fe)
 		len = fw->data[fw->size - remaining];
 		if (len > SI2157_ARGLEN) {
 			dev_err(&client->dev, "Bad firmware length\n");
+			ret = -EINVAL;
 			goto err_release_firmware;
 		}
 		memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len);
-- 
1.9.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ