Home Home > GIT Browse > openSUSE-42.3
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOliver Neukum <oneukum@suse.com>2019-05-20 16:17:09 +0200
committerOliver Neukum <oneukum@suse.com>2019-05-20 16:17:09 +0200
commit287cf3868992ec68345e6373be1990a87d4d958b (patch)
tree489006120f1f30948025f32cf7f174315fbe38e0
parentafb37c200c8455f2fb65de2c4ca36620b9a5c02d (diff)
media: pvrusb2: Prevent a buffer overflow (bsc#1135642).
-rw-r--r--patches.fixes/0001-media-pvrusb2-Prevent-a-buffer-overflow.patch61
-rw-r--r--series.conf1
2 files changed, 62 insertions, 0 deletions
diff --git a/patches.fixes/0001-media-pvrusb2-Prevent-a-buffer-overflow.patch b/patches.fixes/0001-media-pvrusb2-Prevent-a-buffer-overflow.patch
new file mode 100644
index 0000000000..5c60aa313c
--- /dev/null
+++ b/patches.fixes/0001-media-pvrusb2-Prevent-a-buffer-overflow.patch
@@ -0,0 +1,61 @@
+From c1ced46c7b49ad7bc064e68d966e0ad303f917fb Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 8 Apr 2019 05:52:38 -0400
+Subject: [PATCH] media: pvrusb2: Prevent a buffer overflow
+Git-commit: c1ced46c7b49ad7bc064e68d966e0ad303f917fb
+Patch-mainline: v5.2-rc1
+References: bsc#1135642
+
+The ctrl_check_input() function is called from pvr2_ctrl_range_check().
+It's supposed to validate user supplied input and return true or false
+depending on whether the input is valid or not. The problem is that
+negative shifts or shifts greater than 31 are undefined in C. In
+practice with GCC they result in shift wrapping so this function returns
+true for some inputs which are not valid and this could result in a
+buffer overflow:
+
+ drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname()
+ warn: uncapped user index 'names[val]'
+
+The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create()
+and the highest valid bit is BIT(4).
+
+Fixes: 7fb20fa38caa ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability")
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 ++
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.h | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+index 51112b7988e4..816c85786c2a 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+@@ -666,6 +666,8 @@ static int ctrl_get_input(struct pvr2_ctrl *cptr,int *vp)
+
+ static int ctrl_check_input(struct pvr2_ctrl *cptr,int v)
+ {
++ if (v < 0 || v > PVR2_CVAL_INPUT_MAX)
++ return 0;
+ return ((1 << v) & cptr->hdw->input_allowed_mask) != 0;
+ }
+
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
+index 25648add77e5..bd2b7a67b732 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
+@@ -50,6 +50,7 @@
+ #define PVR2_CVAL_INPUT_COMPOSITE 2
+ #define PVR2_CVAL_INPUT_SVIDEO 3
+ #define PVR2_CVAL_INPUT_RADIO 4
++#define PVR2_CVAL_INPUT_MAX PVR2_CVAL_INPUT_RADIO
+
+ enum pvr2_config {
+ pvr2_config_empty, /* No configuration */
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 2dc9a42d24..da065e8d8b 100644
--- a/series.conf
+++ b/series.conf
@@ -25344,6 +25344,7 @@
patches.drivers/Bluetooth-hidp-fix-buffer-overflow.patch
patches.fixes/0001-UAS-fix-alignment-of-scatter-gather-segments.patch
patches.fixes/ipmi-ssif-compare-block-number-correctly-for-multi-p.patch
+ patches.fixes/0001-media-pvrusb2-Prevent-a-buffer-overflow.patch
patches.fixes/0001-drm-i915-Fix-I915_EXEC_RING_MASK.patch
patches.fixes/0002-drm-fb-helper-dpms_legacy-Only-set-on-connectors-in-.patch
patches.arch/powerpc-numa-improve-control-of-topology-updates.patch