| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 15 Sep 2022 17:47:51 +0900
From: 유용수 <yongsuyoo0215@...il.com>
To: mchehab@...nel.org, linux-media@...r.kernel.org,
linux-kernel@...r.kernel.org, yongsu.yoo@....com,
유용수 <yongsuyoo0215@...il.com>
Subject: Re: [PATCH] media: dvb_ca_en50221: A bug is fixed for size write
Dear All
Can you share how this patch is going ?
2022년 8월 31일 (수) 오후 10:43, 유용수 <yongsuyoo0215@...il.com>님이 작성:
>
> Dear All
> Can you share how this patch is going ?
>
> 2022년 8월 18일 (목) 오후 9:50, YongSu Yoo <yongsuyoo0215@...il.com>님이 작성:
> >
> > Signed-off-by:Yongsu Yoo <yongsuyoo0215@...il.com>
> >
> > The function of "dvb_ca_en50221_write_data" at source/drivers/media
> > /dvb-core/dvb_ca_en50221.c is used for two cases.
> > The first case is for writing APDU data in the function of
> > "dvb_ca_en50221_io_write" at source/drivers/media/dvb-core/
> > dvb_ca_en50221.c.
> > The second case is for writing the host link buf size on the
> > Command Register in the function of "dvb_ca_en50221_link_init"
> > at source/drivers/media/dvb-core/dvb_ca_en50221.c.
> > In the second case, there exists a bug like followings.
> > In the function of the "dvb_ca_en50221_link_init",
> > after a TV host calculates the host link buf_size,
> > the TV host writes the calculated host link buf_size on the
> > Size Register.
> > Accroding to the en50221 Spec (the page 60 of
> > https://dvb.org/wp-content/uploads/2020/02/En50221.V1.pdf),
> > before this writing operation, the "SW(CMDREG_SW)" flag in the
> > Command Register should be set. We can see this setting operation
> > in the function of the "dvb_ca_en50221_link_init" like below.
> > ...
> > if ((ret = ca->pub->write_cam_control(ca->pub, slot,
> > CTRLIF_COMMAND, IRQEN | CMDREG_SW)) != 0)
> > return ret;
> > ...
> > But, after that, the real writing operation is implemented using
> > the function of the "dvb_ca_en50221_write_data" in the function of
> > "dvb_ca_en50221_link_init", and the "dvb_ca_en50221_write_data"
> > includes the function of "ca->pub->write_cam_control",
> > and the function of the "ca->pub->write_cam_control" in the
> > function of the "dvb_ca_en50221_wrte_data" does not include
> > "CMDREG_SW" flag like below.
> > ...
> > if ((status = ca->pub->write_cam_control(ca->pub, slot,
> > CTRLIF_COMMAND, IRQEN | CMDREG_HC)) != 0)
> > ...
> > In the above source code, we can see only the "IRQEN | CMDREG_HC",
> > but we cannot see the "CMDREG_SW".
> > The "CMDREG_SW" flag which was set in the function of the
> > "dvb_ca_en50221_link_init" was rollbacked by the follwoing function
> > of the "dvb_ca_en50221_write_data".
> > This is a bug. and this bug causes that the calculated host link buf_size
> > is not properly written in the CI module.
> > Through this patch, we fix this bug.
> > ---
> > drivers/media/dvb-core/dvb_ca_en50221.c | 12 +++++++-----
> > 1 file changed, 7 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
> > index 15a08d8c69ef..13f249b0a080 100644
> > --- a/drivers/media/dvb-core/dvb_ca_en50221.c
> > +++ b/drivers/media/dvb-core/dvb_ca_en50221.c
> > @@ -187,7 +187,7 @@ static void dvb_ca_en50221_thread_wakeup(struct dvb_ca_private *ca);
> > static int dvb_ca_en50221_read_data(struct dvb_ca_private *ca, int slot,
> > u8 *ebuf, int ecount);
> > static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot,
> > - u8 *ebuf, int ecount);
> > + u8 *ebuf, int ecount, int size_write_flag);
> >
> > /**
> > * findstr - Safely find needle in haystack.
> > @@ -370,7 +370,7 @@ static int dvb_ca_en50221_link_init(struct dvb_ca_private *ca, int slot)
> > ret = dvb_ca_en50221_wait_if_status(ca, slot, STATUSREG_FR, HZ / 10);
> > if (ret)
> > return ret;
> > - ret = dvb_ca_en50221_write_data(ca, slot, buf, 2);
> > + ret = dvb_ca_en50221_write_data(ca, slot, buf, 2, CMDREG_SW);
> > if (ret != 2)
> > return -EIO;
> > ret = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_COMMAND, IRQEN);
> > @@ -778,11 +778,13 @@ static int dvb_ca_en50221_read_data(struct dvb_ca_private *ca, int slot,
> > * @buf: The data in this buffer is treated as a complete link-level packet to
> > * be written.
> > * @bytes_write: Size of ebuf.
> > + * @size_write_flag: A flag on Command Register which says whether the link size
> > + * information will be writen or not.
> > *
> > * return: Number of bytes written, or < 0 on error.
> > */
> > static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot,
> > - u8 *buf, int bytes_write)
> > + u8 *buf, int bytes_write, int size_write_flag)
> > {
> > struct dvb_ca_slot *sl = &ca->slot_info[slot];
> > int status;
> > @@ -817,7 +819,7 @@ static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot,
> >
> > /* OK, set HC bit */
> > status = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_COMMAND,
> > - IRQEN | CMDREG_HC);
> > + IRQEN | CMDREG_HC | size_write_flag);
> > if (status)
> > goto exit;
> >
> > @@ -1508,7 +1510,7 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file,
> >
> > mutex_lock(&sl->slot_lock);
> > status = dvb_ca_en50221_write_data(ca, slot, fragbuf,
> > - fraglen + 2);
> > + fraglen + 2, 0);
> > mutex_unlock(&sl->slot_lock);
> > if (status == (fraglen + 2)) {
> > written = 1;
> > --
> > 2.17.1
> >
Powered by blists - more mailing lists