lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f17042fd-890a-4a1e-b51e-6aead9986128@moroto.mountain>
Date: Mon, 22 Apr 2024 12:30:12 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Ricardo Ribalda <ribalda@...omium.org>
Cc: Ezequiel GarcĂ­a <elezegarcia@...il.com>,
	Ezequiel Garcia <ezequiel@...guardiasur.com.ar>,
	Mauro Carvalho Chehab <mchehab@...nel.org>,
	linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] media: stk1160: fix some bounds checking in
 stk1160_copy_video()

On Wed, Apr 17, 2024 at 08:48:23PM +0200, Ricardo Ribalda wrote:
> Hi Dan
> 
> On Wed, 17 Apr 2024 at 19:51, Dan Carpenter <dan.carpenter@...aro.org> wrote:
> >
> > The subtract in this condition is reversed.  The ->length is the length
> > of the buffer.  The ->bytesused is how many bytes we have copied thus
> > far.  When the condition is reversed that means the result of the
> > subtraction is always negative but since it's unsigned then the result
> > is a very high positive value.  That means the overflow check is never
> > true.
> >
> > Fixes: 9cb2173e6ea8 ("[media] media: Add stk1160 new driver (easycap replacement)")
> > Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
> > ---
> > This patch is untested, I just spotted it in review.
> >
> > When this bug is fixed, the two checks for negative values of "lencopy"
> > could be removed.  I wrote a version of this patch which removed the
> > checks, but in the end I decided to leave the checks.  They're harmless.
> >
> >  drivers/media/usb/stk1160/stk1160-video.c | 8 ++++----
> >  1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/media/usb/stk1160/stk1160-video.c b/drivers/media/usb/stk1160/stk1160-video.c
> > index 366f0e4a5dc0..bfb97ea352e7 100644
> > --- a/drivers/media/usb/stk1160/stk1160-video.c
> > +++ b/drivers/media/usb/stk1160/stk1160-video.c
> > @@ -139,8 +139,8 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len)
> >          * Check if we have enough space left in the buffer.
> >          * In that case, we force loop exit after copy.
> >          */
> > -       if (lencopy > buf->bytesused - buf->length) {
> > -               lencopy = buf->bytesused - buf->length;
> > +       if (lencopy > buf->length - buf->bytesused) {
> > +               lencopy = buf->length - buf->bytesused;
> >                 remain = lencopy;
> >         }
> 
> I think it is a bit more complicated than bytesused.
> 
> bytesused does not take into consideration the actual position where
> it is going to write.
> 
> What we really want to check is if
> 
> offset = dst - buf->mem;
> if (offset + lencopy > buf->length) {
>   lencopy = buf->length - offset;
>   remain = lencopy;
> }
> 

You're right...  There is a comment explaining why we multiply the
number of lines written by two, but it doesn't really clarify anything
for me:

	/* Multiply linesdone by two, to take account of the other field */

What's the "other field"?

I kind of suspect that the stk1160_buffer_done() might be wrong as well.

	vb2_set_plane_payload(&buf->vb.vb2_buf, 0, buf->bytesused);
                                                   ^^^^^^^^^^^^^^

We're calculating the space left based on ->pos which can be reset to
zero in stk1160_process_isoc().  But ->bytesused isn't reset, so
potentially we could end up in a situation where ->bytesused is greater
than the ->length of the buffer.  Should stk1160_process_isoc() set
->bytesused to zero as well?

regards,
dan carpenter


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ