lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 27 Sep 2022 10:01:11 +0800
From:   Hangyu Hua <hbh25y@...il.com>
To:     mchehab@...nel.org, senozhatsky@...omium.org,
        cai.huoqing@...ux.dev, hverkuil-cisco@...all.nl,
        sw0312.kim@...sung.com, satendra.t@...sung.com,
        jh1009.sung@...sung.com, nenggun.kim@...sung.com
Cc:     linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] media: dvb_vb2: fix possible out of bound access

On 19/5/2022 10:17, Hangyu Hua wrote:
> vb2_core_qbuf and vb2_core_querybuf don't check the range of b->index
> controlled by the user.
> 
> Fix this by adding range checking code before using them.
> 
> Fixes: 57868acc369a ("media: videobuf2: Add new uAPI for DVB streaming I/O")
> Signed-off-by: Hangyu Hua <hbh25y@...il.com>
> Reviewed-by: Sergey Senozhatsky <senozhatsky@...omium.org>
> ---
> 
> v2:
> 1. fix inappropriate use of dprintk.
> 2. add "fixes" tag
> 
>   drivers/media/dvb-core/dvb_vb2.c | 11 +++++++++++
>   1 file changed, 11 insertions(+)
> 
> diff --git a/drivers/media/dvb-core/dvb_vb2.c b/drivers/media/dvb-core/dvb_vb2.c
> index a1bd6d9c9223..909df82fed33 100644
> --- a/drivers/media/dvb-core/dvb_vb2.c
> +++ b/drivers/media/dvb-core/dvb_vb2.c
> @@ -354,6 +354,12 @@ int dvb_vb2_reqbufs(struct dvb_vb2_ctx *ctx, struct dmx_requestbuffers *req)
>   
>   int dvb_vb2_querybuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
>   {
> +	struct vb2_queue *q = &ctx->vb_q;
> +
> +	if (b->index >= q->num_buffers) {
> +		dprintk(1, "[%s] buffer index out of range\n", ctx->name);
> +		return -EINVAL;
> +	}
>   	vb2_core_querybuf(&ctx->vb_q, b->index, b);
>   	dprintk(3, "[%s] index=%d\n", ctx->name, b->index);
>   	return 0;
> @@ -378,8 +384,13 @@ int dvb_vb2_expbuf(struct dvb_vb2_ctx *ctx, struct dmx_exportbuffer *exp)
>   
>   int dvb_vb2_qbuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
>   {
> +	struct vb2_queue *q = &ctx->vb_q;
>   	int ret;
>   
> +	if (b->index >= q->num_buffers) {
> +		dprintk(1, "[%s] buffer index out of range\n", ctx->name);
> +		return -EINVAL;
> +	}
>   	ret = vb2_core_qbuf(&ctx->vb_q, b->index, b, NULL);
>   	if (ret) {
>   		dprintk(1, "[%s] index=%d errno=%d\n", ctx->name,

Hi guys,

Looks like this patch was forgotten to to merge into master branch. This 
bug still in:
https://git.linuxtv.org/media_tree.git/tree/drivers/media/dvb-core/dvb_vb2.c#n355
and
https://git.linuxtv.org/media_tree.git/tree/drivers/media/dvb-core/dvb_vb2.c#n379

Thanks,
Hangyu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ