[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20180718141356.2515-1-vasilyev@ispras.ru>
Date: Wed, 18 Jul 2018 17:13:56 +0300
From: Anton Vasilyev <vasilyev@...ras.ru>
To: Mauro Carvalho Chehab <mchehab@...nel.org>
Cc: Anton Vasilyev <vasilyev@...ras.ru>, Sean Young <sean@...s.org>,
Hans Verkuil <hans.verkuil@...co.com>,
Arvind Yadav <arvind.yadav.cs@...il.com>,
"Gustavo A. R. Silva" <garsilva@...eddedor.com>,
linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
ldv-project@...uxtesting.org
Subject: [PATCH] media: dm1105: Limit number of cards to avoid buffer over read
dm1105_probe() counts number of cards at dm1105_devcount,
but missed bounds check before dereference a card array.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Anton Vasilyev <vasilyev@...ras.ru>
---
drivers/media/pci/dm1105/dm1105.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/pci/dm1105/dm1105.c b/drivers/media/pci/dm1105/dm1105.c
index c9db108751a7..1ddb0576fb7b 100644
--- a/drivers/media/pci/dm1105/dm1105.c
+++ b/drivers/media/pci/dm1105/dm1105.c
@@ -986,6 +986,9 @@ static int dm1105_probe(struct pci_dev *pdev,
int ret = -ENOMEM;
int i;
+ if (dm1105_devcount >= ARRAY_SIZE(card))
+ return -ENODEV;
+
dev = kzalloc(sizeof(struct dm1105_dev), GFP_KERNEL);
if (!dev)
return -ENOMEM;
--
2.18.0
Powered by blists - more mailing lists