lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <22f3bdcb-dc29-b6a7-941e-6218f0a8791d@gmail.com>
Date:   Thu, 12 Aug 2021 12:21:35 +0800
From:   Tuo Li <islituo@...il.com>
To:     mchehab@...nel.org, hverkuil-cisco@...all.nl,
        christophe.jaillet@...adoo.fr, tglx@...utronix.de
Cc:     linux-media@...r.kernel.org,
        Linux Kernel <linux-kernel@...r.kernel.org>,
        "baijiaju1990@...il.com" <baijiaju1990@...il.com>
Subject: [media] cx25821: Is there a potential buffer-underflow in
 cx25821-core.c?

Hello,

Our static analysis tool reports a possible buffer-underflow in 
cx25821-core.c in Linux 5.14.0-rc3:

The variable channel_select is checked in:
761:    if (channel_select <= 7 && channel_select >= 0)

This indicates that channel_select can be negative.
If so, a buffer-underflow will occur:
765:    dev->channels[channel_select].pixel_formats = format;

However, we checked this report manually, and found that the only call 
site is in cx25821-video.c:
394:    cx25821_set_pixel_format(dev, SRAM_CH00, pix_format);

And SRAM_CH00 is not negative.

I am not sure whether this negatvie-check is redundant or there is a 
potential buffer-underflow.
Any feedback would be appreciated, thanks!

Reported-by: TOTE Robot <oslab@...nghua.edu.cn>

Best wishes,
Tuo Li

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ