[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20210301161206.091782438@linuxfoundation.org>
Date: Mon, 1 Mar 2021 17:12:18 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org,
syzbot+ec3b3128c576e109171d@...kaller.appspotmail.com,
James Reynolds <jr@...len.com>, Sean Young <sean@...s.org>,
Mauro Carvalho Chehab <mchehab+huawei@...nel.org>
Subject: [PATCH 5.10 490/663] media: mceusb: Fix potential out-of-bounds shift
From: James Reynolds <jr@...len.com>
commit 1b43bad31fb0e00f45baf5b05bd21eb8d8ce7f58 upstream.
When processing a MCE_RSP_GETPORTSTATUS command, the bit index to set in
ir->txports_cabled comes from response data, and isn't validated.
As ir->txports_cabled is a u8, nothing should be done if the bit index
is greater than 7.
Cc: stable@...r.kernel.org
Reported-by: syzbot+ec3b3128c576e109171d@...kaller.appspotmail.com
Signed-off-by: James Reynolds <jr@...len.com>
Signed-off-by: Sean Young <sean@...s.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@...nel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
drivers/media/rc/mceusb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -1169,7 +1169,7 @@ static void mceusb_handle_command(struct
switch (subcmd) {
/* the one and only 5-byte return value command */
case MCE_RSP_GETPORTSTATUS:
- if (buf_in[5] == 0)
+ if (buf_in[5] == 0 && *hi < 8)
ir->txports_cabled |= 1 << *hi;
break;
Powered by blists - more mailing lists