lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANXPkT4KL9KxvgjaJO058zg8nb00qaiPfDFKEaQ42g6v18XvKA@mail.gmail.com>
Date:   Wed, 31 Aug 2022 22:43:44 +0900
From:   유용수 <yongsuyoo0215@...il.com>
To:     mchehab@...nel.org, linux-media@...r.kernel.org,
        linux-kernel@...r.kernel.org, yongsu.yoo@....com
Subject: Re: [PATCH] media: dvb_ca_en50221: A bug is fixed for size write

Dear All
Can you share how this patch is going ?

2022년 8월 18일 (목) 오후 9:50, YongSu Yoo <yongsuyoo0215@...il.com>님이 작성:
>
> Signed-off-by:Yongsu Yoo <yongsuyoo0215@...il.com>
>
> The function of "dvb_ca_en50221_write_data" at source/drivers/media
> /dvb-core/dvb_ca_en50221.c is used for two cases.
> The first case is for writing APDU data in the function of
> "dvb_ca_en50221_io_write" at source/drivers/media/dvb-core/
> dvb_ca_en50221.c.
> The second case is for writing the host link buf size on the
> Command Register in the function of "dvb_ca_en50221_link_init"
> at source/drivers/media/dvb-core/dvb_ca_en50221.c.
> In the second case, there exists a bug like followings.
> In the function of the "dvb_ca_en50221_link_init",
> after a TV host calculates the host link buf_size,
> the TV host writes the calculated host link buf_size on the
> Size Register.
> Accroding to the en50221 Spec (the page 60 of
> https://dvb.org/wp-content/uploads/2020/02/En50221.V1.pdf),
> before this writing operation, the "SW(CMDREG_SW)" flag in the
> Command Register should be set. We can see this setting operation
> in the function of the "dvb_ca_en50221_link_init" like below.
> ...
>         if ((ret = ca->pub->write_cam_control(ca->pub, slot,
> CTRLIF_COMMAND, IRQEN | CMDREG_SW)) != 0)
>                 return ret;
> ...
> But, after that, the real writing operation is implemented using
> the function of the "dvb_ca_en50221_write_data" in the function of
> "dvb_ca_en50221_link_init", and the "dvb_ca_en50221_write_data"
> includes the function of "ca->pub->write_cam_control",
> and the function of the "ca->pub->write_cam_control" in the
> function of the "dvb_ca_en50221_wrte_data" does not include
> "CMDREG_SW" flag like below.
> ...
>         if ((status = ca->pub->write_cam_control(ca->pub, slot,
> CTRLIF_COMMAND, IRQEN | CMDREG_HC)) != 0)
> ...
> In the above source code, we can see only the "IRQEN | CMDREG_HC",
> but we cannot see the "CMDREG_SW".
> The "CMDREG_SW" flag which was set in the function of the
> "dvb_ca_en50221_link_init" was rollbacked by the follwoing function
> of the "dvb_ca_en50221_write_data".
> This is a bug. and this bug causes that the calculated host link buf_size
> is not properly written in the CI module.
> Through this patch, we fix this bug.
> ---
>  drivers/media/dvb-core/dvb_ca_en50221.c | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
> index 15a08d8c69ef..13f249b0a080 100644
> --- a/drivers/media/dvb-core/dvb_ca_en50221.c
> +++ b/drivers/media/dvb-core/dvb_ca_en50221.c
> @@ -187,7 +187,7 @@ static void dvb_ca_en50221_thread_wakeup(struct dvb_ca_private *ca);
>  static int dvb_ca_en50221_read_data(struct dvb_ca_private *ca, int slot,
>                                     u8 *ebuf, int ecount);
>  static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot,
> -                                    u8 *ebuf, int ecount);
> +                                    u8 *ebuf, int ecount, int size_write_flag);
>
>  /**
>   * findstr - Safely find needle in haystack.
> @@ -370,7 +370,7 @@ static int dvb_ca_en50221_link_init(struct dvb_ca_private *ca, int slot)
>         ret = dvb_ca_en50221_wait_if_status(ca, slot, STATUSREG_FR, HZ / 10);
>         if (ret)
>                 return ret;
> -       ret = dvb_ca_en50221_write_data(ca, slot, buf, 2);
> +       ret = dvb_ca_en50221_write_data(ca, slot, buf, 2, CMDREG_SW);
>         if (ret != 2)
>                 return -EIO;
>         ret = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_COMMAND, IRQEN);
> @@ -778,11 +778,13 @@ static int dvb_ca_en50221_read_data(struct dvb_ca_private *ca, int slot,
>   * @buf: The data in this buffer is treated as a complete link-level packet to
>   *      be written.
>   * @bytes_write: Size of ebuf.
> + * @size_write_flag: A flag on Command Register which says whether the link size
> + * information will be writen or not.
>   *
>   * return: Number of bytes written, or < 0 on error.
>   */
>  static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot,
> -                                    u8 *buf, int bytes_write)
> +                                    u8 *buf, int bytes_write, int size_write_flag)
>  {
>         struct dvb_ca_slot *sl = &ca->slot_info[slot];
>         int status;
> @@ -817,7 +819,7 @@ static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot,
>
>         /* OK, set HC bit */
>         status = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_COMMAND,
> -                                           IRQEN | CMDREG_HC);
> +                                           IRQEN | CMDREG_HC | size_write_flag);
>         if (status)
>                 goto exit;
>
> @@ -1508,7 +1510,7 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file,
>
>                         mutex_lock(&sl->slot_lock);
>                         status = dvb_ca_en50221_write_data(ca, slot, fragbuf,
> -                                                          fraglen + 2);
> +                                                          fraglen + 2, 0);
>                         mutex_unlock(&sl->slot_lock);
>                         if (status == (fraglen + 2)) {
>                                 written = 1;
> --
> 2.17.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ