| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Oct 2022 22:41:47 +0900
From: 유용수 <yongsuyoo0215@...il.com>
To: mchehab@...nel.org, linux-media@...r.kernel.org,
linux-kernel@...r.kernel.org, yongsu.yoo@....com,
유용수 <yongsuyoo0215@...il.com>,
Hans Petter Selasky <hps@...asky.org>
Subject: Re: [PATCH] media: dvb_ca_en50221: A bug is fixed for size write
Dear All
Can you share how this patch is going ?
2022년 9월 15일 (목) 오후 5:47, 유용수 <yongsuyoo0215@...il.com>님이 작성:
>
> Dear All
> Can you share how this patch is going ?
>
> 2022년 8월 31일 (수) 오후 10:43, 유용수 <yongsuyoo0215@...il.com>님이 작성:
> >
> > Dear All
> > Can you share how this patch is going ?
> >
> > 2022년 8월 18일 (목) 오후 9:50, YongSu Yoo <yongsuyoo0215@...il.com>님이 작성:
> > >
> > > Signed-off-by:Yongsu Yoo <yongsuyoo0215@...il.com>
> > >
> > > The function of "dvb_ca_en50221_write_data" at source/drivers/media
> > > /dvb-core/dvb_ca_en50221.c is used for two cases.
> > > The first case is for writing APDU data in the function of
> > > "dvb_ca_en50221_io_write" at source/drivers/media/dvb-core/
> > > dvb_ca_en50221.c.
> > > The second case is for writing the host link buf size on the
> > > Command Register in the function of "dvb_ca_en50221_link_init"
> > > at source/drivers/media/dvb-core/dvb_ca_en50221.c.
> > > In the second case, there exists a bug like followings.
> > > In the function of the "dvb_ca_en50221_link_init",
> > > after a TV host calculates the host link buf_size,
> > > the TV host writes the calculated host link buf_size on the
> > > Size Register.
> > > Accroding to the en50221 Spec (the page 60 of
> > > https://dvb.org/wp-content/uploads/2020/02/En50221.V1.pdf),
> > > before this writing operation, the "SW(CMDREG_SW)" flag in the
> > > Command Register should be set. We can see this setting operation
> > > in the function of the "dvb_ca_en50221_link_init" like below.
> > > ...
> > > if ((ret = ca->pub->write_cam_control(ca->pub, slot,
> > > CTRLIF_COMMAND, IRQEN | CMDREG_SW)) != 0)
> > > return ret;
> > > ...
> > > But, after that, the real writing operation is implemented using
> > > the function of the "dvb_ca_en50221_write_data" in the function of
> > > "dvb_ca_en50221_link_init", and the "dvb_ca_en50221_write_data"
> > > includes the function of "ca->pub->write_cam_control",
> > > and the function of the "ca->pub->write_cam_control" in the
> > > function of the "dvb_ca_en50221_wrte_data" does not include
> > > "CMDREG_SW" flag like below.
> > > ...
> > > if ((status = ca->pub->write_cam_control(ca->pub, slot,
> > > CTRLIF_COMMAND, IRQEN | CMDREG_HC)) != 0)
> > > ...
> > > In the above source code, we can see only the "IRQEN | CMDREG_HC",
> > > but we cannot see the "CMDREG_SW".
> > > The "CMDREG_SW" flag which was set in the function of the
> > > "dvb_ca_en50221_link_init" was rollbacked by the follwoing function
> > > of the "dvb_ca_en50221_write_data".
> > > This is a bug. and this bug causes that the calculated host link buf_size
> > > is not properly written in the CI module.
> > > Through this patch, we fix this bug.
> > > ---
> > > drivers/media/dvb-core/dvb_ca_en50221.c | 12 +++++++-----
> > > 1 file changed, 7 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
> > > index 15a08d8c69ef..13f249b0a080 100644
> > > --- a/drivers/media/dvb-core/dvb_ca_en50221.c
> > > +++ b/drivers/media/dvb-core/dvb_ca_en50221.c
> > > @@ -187,7 +187,7 @@ static void dvb_ca_en50221_thread_wakeup(struct dvb_ca_private *ca);
> > > static int dvb_ca_en50221_read_data(struct dvb_ca_private *ca, int slot,
> > > u8 *ebuf, int ecount);
> > > static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot,
> > > - u8 *ebuf, int ecount);
> > > + u8 *ebuf, int ecount, int size_write_flag);
> > >
> > > /**
> > > * findstr - Safely find needle in haystack.
> > > @@ -370,7 +370,7 @@ static int dvb_ca_en50221_link_init(struct dvb_ca_private *ca, int slot)
> > > ret = dvb_ca_en50221_wait_if_status(ca, slot, STATUSREG_FR, HZ / 10);
> > > if (ret)
> > > return ret;
> > > - ret = dvb_ca_en50221_write_data(ca, slot, buf, 2);
> > > + ret = dvb_ca_en50221_write_data(ca, slot, buf, 2, CMDREG_SW);
> > > if (ret != 2)
> > > return -EIO;
> > > ret = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_COMMAND, IRQEN);
> > > @@ -778,11 +778,13 @@ static int dvb_ca_en50221_read_data(struct dvb_ca_private *ca, int slot,
> > > * @buf: The data in this buffer is treated as a complete link-level packet to
> > > * be written.
> > > * @bytes_write: Size of ebuf.
> > > + * @size_write_flag: A flag on Command Register which says whether the link size
> > > + * information will be writen or not.
> > > *
> > > * return: Number of bytes written, or < 0 on error.
> > > */
> > > static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot,
> > > - u8 *buf, int bytes_write)
> > > + u8 *buf, int bytes_write, int size_write_flag)
> > > {
> > > struct dvb_ca_slot *sl = &ca->slot_info[slot];
> > > int status;
> > > @@ -817,7 +819,7 @@ static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot,
> > >
> > > /* OK, set HC bit */
> > > status = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_COMMAND,
> > > - IRQEN | CMDREG_HC);
> > > + IRQEN | CMDREG_HC | size_write_flag);
> > > if (status)
> > > goto exit;
> > >
> > > @@ -1508,7 +1510,7 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file,
> > >
> > > mutex_lock(&sl->slot_lock);
> > > status = dvb_ca_en50221_write_data(ca, slot, fragbuf,
> > > - fraglen + 2);
> > > + fraglen + 2, 0);
> > > mutex_unlock(&sl->slot_lock);
> > > if (status == (fraglen + 2)) {
> > > written = 1;
> > > --
> > > 2.17.1
> > >
Powered by blists - more mailing lists