lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20180509221306.708c2d52@lt530>
Date:   Wed, 9 May 2018 22:13:06 +0200
From:   Daniel Scheller <d.scheller.oss@...il.com>
To:     Colin Ian King <colin.king@...onical.com>
Cc:     Mauro Carvalho Chehab <mchehab@...nel.org>,
        linux-media@...r.kernel.org, kernel-janitors@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH][media-next] media: ddbridge: avoid out-of-bounds write
 on array demod_in_use

Hi Colin,

Am Tue, 8 May 2018 11:39:56 +0100
schrieb Colin Ian King <colin.king@...onical.com>:

> On 08/05/18 11:38, Daniel Scheller wrote:
> > Hi Colin,
> > 
> > Am Tue,  8 May 2018 00:08:42 +0100
> > schrieb Colin King <colin.king@...onical.com>:
> >   
> >> From: Colin Ian King <colin.king@...onical.com>
> >>
> >> In function stop there is a check to see if state->demod is a stopped
> >> value of 0xff, however, later on, array demod_in_use is indexed with
> >> this value causing an out-of-bounds write error.  Avoid this by only
> >> writing to array demod_in_use if state->demod is not set to the stopped
> >> sentinal value for this specific corner case.  Also, replace the magic
> >> value 0xff with DEMOD_STOPPED to make code more readable.
> >>
> >> Detected by CoverityScan, CID#1468550 ("Out-of-bounds write")
> >>
> >> Fixes: daeeb1319e6f ("media: ddbridge: initial support for MCI-based MaxSX8 cards")
> >> Signed-off-by: Colin Ian King <colin.king@...onical.com>
> >> ---
> >>  drivers/media/pci/ddbridge/ddbridge-mci.c | 11 +++++++----
> >>  1 file changed, 7 insertions(+), 4 deletions(-)
> >>
> >> diff --git a/drivers/media/pci/ddbridge/ddbridge-mci.c b/drivers/media/pci/ddbridge/ddbridge-mci.c
> >> index a85ff3e6b919..1f5ed53c8d35 100644
> >> --- a/drivers/media/pci/ddbridge/ddbridge-mci.c
> >> +++ b/drivers/media/pci/ddbridge/ddbridge-mci.c
> >> @@ -20,6 +20,8 @@
> >>  #include "ddbridge-io.h"
> >>  #include "ddbridge-mci.h"
> >>  
> >> +#define DEMOD_STOPPED	(0xff)
> >> +
> >>  static LIST_HEAD(mci_list);
> >>  
> >>  static const u32 MCLK = (1550000000 / 12);
> >> @@ -193,7 +195,7 @@ static int stop(struct dvb_frontend *fe)
> >>  	u32 input = state->tuner;
> >>  
> >>  	memset(&cmd, 0, sizeof(cmd));
> >> -	if (state->demod != 0xff) {
> >> +	if (state->demod != DEMOD_STOPPED) {
> >>  		cmd.command = MCI_CMD_STOP;
> >>  		cmd.demod = state->demod;
> >>  		mci_cmd(state, &cmd, NULL);
> >> @@ -209,10 +211,11 @@ static int stop(struct dvb_frontend *fe)
> >>  	state->base->tuner_use_count[input]--;
> >>  	if (!state->base->tuner_use_count[input])
> >>  		mci_set_tuner(fe, input, 0);
> >> -	state->base->demod_in_use[state->demod] = 0;
> >> +	if (state->demod != DEMOD_STOPPED)
> >> +		state->base->demod_in_use[state->demod] = 0;
> >>  	state->base->used_ldpc_bitrate[state->nr] = 0;
> >> -	state->demod = 0xff;
> >> -	state->base->assigned_demod[state->nr] = 0xff;
> >> +	state->demod = DEMOD_STOPPED;
> >> +	state->base->assigned_demod[state->nr] = DEMOD_STOPPED;
> >>  	state->base->iq_mode = 0;
> >>  	mutex_unlock(&state->base->tuner_lock);
> >>  	state->started = 0;  
> > 
> > Thanks for the patch, or - better - pointing this out. While it's
> > unlikely this will ever be an issue, I'm fine with changing the code
> > like that, but I'd prefer to change it a bit differently (ie.
> > DEMOD_STOPPED should be DEMOD_UNUSED, and I'd add defines for max.
> > tuners and use/compare against them).  
> 
> Sounds like a good idea.
> 
> > 
> > I'll send out a different patch that will cover the potential
> > coverityscan problem throughout the end of the week.  
> 
> Great. Thanks!

JFYI, patch sent as part of a few other fixes and up at linux-media
patchwork:

https://patchwork.linuxtv.org/patch/49403/

Best regards,
Daniel Scheller
-- 
https://github.com/herrnst

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ