| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b4b52911-e135-38b6-ab2e-4580e1ac0302@gmail.com>
Date: Tue, 27 Sep 2022 10:01:11 +0800
From: Hangyu Hua <hbh25y@...il.com>
To: mchehab@...nel.org, senozhatsky@...omium.org,
cai.huoqing@...ux.dev, hverkuil-cisco@...all.nl,
sw0312.kim@...sung.com, satendra.t@...sung.com,
jh1009.sung@...sung.com, nenggun.kim@...sung.com
Cc: linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] media: dvb_vb2: fix possible out of bound access
On 19/5/2022 10:17, Hangyu Hua wrote:
> vb2_core_qbuf and vb2_core_querybuf don't check the range of b->index
> controlled by the user.
>
> Fix this by adding range checking code before using them.
>
> Fixes: 57868acc369a ("media: videobuf2: Add new uAPI for DVB streaming I/O")
> Signed-off-by: Hangyu Hua <hbh25y@...il.com>
> Reviewed-by: Sergey Senozhatsky <senozhatsky@...omium.org>
> ---
>
> v2:
> 1. fix inappropriate use of dprintk.
> 2. add "fixes" tag
>
> drivers/media/dvb-core/dvb_vb2.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/drivers/media/dvb-core/dvb_vb2.c b/drivers/media/dvb-core/dvb_vb2.c
> index a1bd6d9c9223..909df82fed33 100644
> --- a/drivers/media/dvb-core/dvb_vb2.c
> +++ b/drivers/media/dvb-core/dvb_vb2.c
> @@ -354,6 +354,12 @@ int dvb_vb2_reqbufs(struct dvb_vb2_ctx *ctx, struct dmx_requestbuffers *req)
>
> int dvb_vb2_querybuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
> {
> + struct vb2_queue *q = &ctx->vb_q;
> +
> + if (b->index >= q->num_buffers) {
> + dprintk(1, "[%s] buffer index out of range\n", ctx->name);
> + return -EINVAL;
> + }
> vb2_core_querybuf(&ctx->vb_q, b->index, b);
> dprintk(3, "[%s] index=%d\n", ctx->name, b->index);
> return 0;
> @@ -378,8 +384,13 @@ int dvb_vb2_expbuf(struct dvb_vb2_ctx *ctx, struct dmx_exportbuffer *exp)
>
> int dvb_vb2_qbuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
> {
> + struct vb2_queue *q = &ctx->vb_q;
> int ret;
>
> + if (b->index >= q->num_buffers) {
> + dprintk(1, "[%s] buffer index out of range\n", ctx->name);
> + return -EINVAL;
> + }
> ret = vb2_core_qbuf(&ctx->vb_q, b->index, b, NULL);
> if (ret) {
> dprintk(1, "[%s] index=%d errno=%d\n", ctx->name,
Hi guys,
Looks like this patch was forgotten to to merge into master branch. This
bug still in:
https://git.linuxtv.org/media_tree.git/tree/drivers/media/dvb-core/dvb_vb2.c#n355
and
https://git.linuxtv.org/media_tree.git/tree/drivers/media/dvb-core/dvb_vb2.c#n379
Thanks,
Hangyu
Powered by blists - more mailing lists