| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5dd713e1-0ad2-f9b3-6dd3-2ee87b329db8@xs4all.nl>
Date: Tue, 27 Sep 2022 10:10:24 +0200
From: Hans Verkuil <hverkuil-cisco@...all.nl>
To: Hangyu Hua <hbh25y@...il.com>, mchehab@...nel.org,
senozhatsky@...omium.org, cai.huoqing@...ux.dev,
sw0312.kim@...sung.com, satendra.t@...sung.com,
jh1009.sung@...sung.com, nenggun.kim@...sung.com
Cc: linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] media: dvb_vb2: fix possible out of bound access
On 27/09/2022 04:01, Hangyu Hua wrote:
> On 19/5/2022 10:17, Hangyu Hua wrote:
>> vb2_core_qbuf and vb2_core_querybuf don't check the range of b->index
>> controlled by the user.
>>
>> Fix this by adding range checking code before using them.
>>
>> Fixes: 57868acc369a ("media: videobuf2: Add new uAPI for DVB streaming I/O")
>> Signed-off-by: Hangyu Hua <hbh25y@...il.com>
>> Reviewed-by: Sergey Senozhatsky <senozhatsky@...omium.org>
>> ---
>>
>> v2:
>> 1. fix inappropriate use of dprintk.
>> 2. add "fixes" tag
>>
>> drivers/media/dvb-core/dvb_vb2.c | 11 +++++++++++
>> 1 file changed, 11 insertions(+)
>>
>> diff --git a/drivers/media/dvb-core/dvb_vb2.c b/drivers/media/dvb-core/dvb_vb2.c
>> index a1bd6d9c9223..909df82fed33 100644
>> --- a/drivers/media/dvb-core/dvb_vb2.c
>> +++ b/drivers/media/dvb-core/dvb_vb2.c
>> @@ -354,6 +354,12 @@ int dvb_vb2_reqbufs(struct dvb_vb2_ctx *ctx, struct dmx_requestbuffers *req)
>> int dvb_vb2_querybuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
>> {
>> + struct vb2_queue *q = &ctx->vb_q;
>> +
>> + if (b->index >= q->num_buffers) {
>> + dprintk(1, "[%s] buffer index out of range\n", ctx->name);
>> + return -EINVAL;
>> + }
>> vb2_core_querybuf(&ctx->vb_q, b->index, b);
>> dprintk(3, "[%s] index=%d\n", ctx->name, b->index);
>> return 0;
>> @@ -378,8 +384,13 @@ int dvb_vb2_expbuf(struct dvb_vb2_ctx *ctx, struct dmx_exportbuffer *exp)
>> int dvb_vb2_qbuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
>> {
>> + struct vb2_queue *q = &ctx->vb_q;
>> int ret;
>> + if (b->index >= q->num_buffers) {
>> + dprintk(1, "[%s] buffer index out of range\n", ctx->name);
>> + return -EINVAL;
>> + }
>> ret = vb2_core_qbuf(&ctx->vb_q, b->index, b, NULL);
>> if (ret) {
>> dprintk(1, "[%s] index=%d errno=%d\n", ctx->name,
>
> Hi guys,
>
> Looks like this patch was forgotten to to merge into master branch. This bug still in:
> https://git.linuxtv.org/media_tree.git/tree/drivers/media/dvb-core/dvb_vb2.c#n355
> and
> https://git.linuxtv.org/media_tree.git/tree/drivers/media/dvb-core/dvb_vb2.c#n379
>
> Thanks,
> Hangyu
That's weird, it was part of this pull request:
https://patchwork.linuxtv.org/project/linux-media/patch/2eeaad13-091d-6547-cdeb-0a7a15dc5c3f@xs4all.nl/
But none of the patches in that PR ever made it to upstream. Something went very wrong
with that PR.
I'm preparing a new pull request.
Thank you very much for notifying me!
Regards,
Hans
Powered by blists - more mailing lists