lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4f95bc0d-0b75-dd75-642c-b2238feb9890@gmail.com>
Date:   Thu, 7 May 2020 18:11:06 +0800
From:   Jia-Ju Bai <baijiaju1990@...il.com>
To:     Sean Young <sean@...s.org>
Cc:     mchehab@...nel.org, kstewart@...uxfoundation.org,
        tomasbortoli@...il.com, gregkh@...uxfoundation.org,
        allison@...utok.net, tglx@...utronix.de,
        linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] media: usb: ttusb-dec: avoid buffer overflow in
 ttusb_dec_handle_irq() when DMA failures/attacks occur

Thanks for the reply, Sean :)

On 2020/5/7 16:43, Sean Young wrote:
> On Tue, May 05, 2020 at 10:21:10PM +0800, Jia-Ju Bai wrote:
>> Signed-off-by: Jia-Ju Bai <baijiaju1990@...il.com>
>> ---
>>   drivers/media/usb/ttusb-dec/ttusb_dec.c | 9 +++++----
>>   1 file changed, 5 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c
>> index 3198f9624b7c..8543c552515b 100644
>> --- a/drivers/media/usb/ttusb-dec/ttusb_dec.c
>> +++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c
>> @@ -250,6 +250,7 @@ static void ttusb_dec_handle_irq( struct urb *urb)
>>   	struct ttusb_dec *dec = urb->context;
>>   	char *buffer = dec->irq_buffer;
>>   	int retval;
>> +	u8 index = buffer[4];
>>   
>>   	switch(urb->status) {
>>   		case 0: /*success*/
>> @@ -281,11 +282,11 @@ static void ttusb_dec_handle_irq( struct urb *urb)
>>   		 * this should/could be added later ...
>>   		 * for now lets report each signal as a key down and up
>>   		 */
>> -		if (buffer[4] - 1 < ARRAY_SIZE(rc_keys)) {
> Here buffer[4] is signed char, so if buffer[4] == 0 then (buffer[4] - 1) = -1,
> this becomes "if (-1 < ARRAY_SIZE(rc_keys))", which evaluates to false,
> due to it becoming an unsigned compare. _I think_.

I think you are right.
Maybe I should use "int index = buffer[4]" here.

>> -			dprintk("%s:rc signal:%d\n", __func__, buffer[4]);
>> -			input_report_key(dec->rc_input_dev, rc_keys[buffer[4] - 1], 1);
>> +		if (index - 1 < ARRAY_SIZE(rc_keys)) {
>> +			dprintk("%s:rc signal:%d\n", __func__, index);
>> +			input_report_key(dec->rc_input_dev, rc_keys[index - 1], 1);
>>   			input_sync(dec->rc_input_dev);
>> -			input_report_key(dec->rc_input_dev, rc_keys[buffer[4] - 1], 0);
>> +			input_report_key(dec->rc_input_dev, rc_keys[index - 1], 0);
> Like Greg said, this patch reduces the number of dereferences and makes
> the code much cleaner, but the commit message is misleading.

Okay, I will change my log and send a new patch.


Best wishes,
Jia-Ju Bai

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ