Re: [PATCH 4.19 016/125] media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq()

From: Sean Young
Date: Tue Sep 01 2020 - 12:25:24 EST


Greg,

On Tue, Sep 01, 2020 at 05:09:31PM +0200, Greg Kroah-Hartman wrote:
> From: Jia-Ju Bai <baijiaju@xxxxxxxxxxxxxxx>
>
> [ Upstream commit 6499a0db9b0f1e903d52f8244eacc1d4be00eea2 ]
>
> The value av7110->debi_virt is stored in DMA memory, and it is assigned
> to data, and thus data[0] can be modified at any time by malicious
> hardware. In this case, "if (data[0] < 2)" can be passed, but then
> data[0] can be changed into a large number, which may cause buffer
> overflow when the code "av7110->ci_slot[data[0]]" is used.
>
> To fix this possible bug, data[0] is assigned to a local variable, which
> replaces the use of data[0].

See the discussion here:

https://lkml.org/lkml/2020/8/31/479

It does not seem worthwhile merging to the stable trees.

Thanks

Sean

>
> Signed-off-by: Jia-Ju Bai <baijiaju@xxxxxxxxxxxxxxx>
> Signed-off-by: Sean Young <sean@xxxxxxxx>
> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx>
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> ---
> drivers/media/pci/ttpci/av7110.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/pci/ttpci/av7110.c b/drivers/media/pci/ttpci/av7110.c
> index d6816effb8786..d02b5fd940c12 100644
> --- a/drivers/media/pci/ttpci/av7110.c
> +++ b/drivers/media/pci/ttpci/av7110.c
> @@ -424,14 +424,15 @@ static void debiirq(unsigned long cookie)
> case DATA_CI_GET:
> {
> u8 *data = av7110->debi_virt;
> + u8 data_0 = data[0];
>
> - if ((data[0] < 2) && data[2] == 0xff) {
> + if (data_0 < 2 && data[2] == 0xff) {
> int flags = 0;
> if (data[5] > 0)
> flags |= CA_CI_MODULE_PRESENT;
> if (data[5] > 5)
> flags |= CA_CI_MODULE_READY;
> - av7110->ci_slot[data[0]].flags = flags;
> + av7110->ci_slot[data_0].flags = flags;
> } else
> ci_get_data(&av7110->ci_rbuffer,
> av7110->debi_virt,
> --
> 2.25.1
>
>