linux-kernel - Re: [PATCH v2] media: dvb_vb2: fix possible out of bound access

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date:   Tue, 27 Sep 2022 10:10:24 +0200
From:   Hans Verkuil <hverkuil-cisco@...all.nl>
To:     Hangyu Hua <hbh25y@...il.com>, mchehab@...nel.org,
        senozhatsky@...omium.org, cai.huoqing@...ux.dev,
        sw0312.kim@...sung.com, satendra.t@...sung.com,
        jh1009.sung@...sung.com, nenggun.kim@...sung.com
Cc:     linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] media: dvb_vb2: fix possible out of bound access

On 27/09/2022 04:01, Hangyu Hua wrote:
> On 19/5/2022 10:17, Hangyu Hua wrote:
>> vb2_core_qbuf and vb2_core_querybuf don't check the range of b->index
>> controlled by the user.
>>
>> Fix this by adding range checking code before using them.
>>
>> Fixes: 57868acc369a ("media: videobuf2: Add new uAPI for DVB streaming I/O")
>> Signed-off-by: Hangyu Hua <hbh25y@...il.com>
>> Reviewed-by: Sergey Senozhatsky <senozhatsky@...omium.org>
>> ---
>>
>> v2:
>> 1. fix inappropriate use of dprintk.
>> 2. add "fixes" tag
>>
>>   drivers/media/dvb-core/dvb_vb2.c | 11 +++++++++++
>>   1 file changed, 11 insertions(+)
>>
>> diff --git a/drivers/media/dvb-core/dvb_vb2.c b/drivers/media/dvb-core/dvb_vb2.c
>> index a1bd6d9c9223..909df82fed33 100644
>> --- a/drivers/media/dvb-core/dvb_vb2.c
>> +++ b/drivers/media/dvb-core/dvb_vb2.c
>> @@ -354,6 +354,12 @@ int dvb_vb2_reqbufs(struct dvb_vb2_ctx *ctx, struct dmx_requestbuffers *req)
>>     int dvb_vb2_querybuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
>>   {
>> +    struct vb2_queue *q = &ctx->vb_q;
>> +
>> +    if (b->index >= q->num_buffers) {
>> +        dprintk(1, "[%s] buffer index out of range\n", ctx->name);
>> +        return -EINVAL;
>> +    }
>>       vb2_core_querybuf(&ctx->vb_q, b->index, b);
>>       dprintk(3, "[%s] index=%d\n", ctx->name, b->index);
>>       return 0;
>> @@ -378,8 +384,13 @@ int dvb_vb2_expbuf(struct dvb_vb2_ctx *ctx, struct dmx_exportbuffer *exp)
>>     int dvb_vb2_qbuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
>>   {
>> +    struct vb2_queue *q = &ctx->vb_q;
>>       int ret;
>>   +    if (b->index >= q->num_buffers) {
>> +        dprintk(1, "[%s] buffer index out of range\n", ctx->name);
>> +        return -EINVAL;
>> +    }
>>       ret = vb2_core_qbuf(&ctx->vb_q, b->index, b, NULL);
>>       if (ret) {
>>           dprintk(1, "[%s] index=%d errno=%d\n", ctx->name,
> 
> Hi guys,
> 
> Looks like this patch was forgotten to to merge into master branch. This bug still in:
> https://git.linuxtv.org/media_tree.git/tree/drivers/media/dvb-core/dvb_vb2.c#n355
> and
> https://git.linuxtv.org/media_tree.git/tree/drivers/media/dvb-core/dvb_vb2.c#n379
> 
> Thanks,
> Hangyu

That's weird, it was part of this pull request:

https://patchwork.linuxtv.org/project/linux-media/patch/2eeaad13-091d-6547-cdeb-0a7a15dc5c3f@xs4all.nl/

But none of the patches in that PR ever made it to upstream. Something went very wrong
with that PR.

I'm preparing a new pull request.

Thank you very much for notifying me!

Regards,

	Hans