Received: by 10.192.165.148 with SMTP id m20csp4136140imm; Tue, 8 May 2018 03:39:15 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrdZSz51tYieGkejQs4fHc7N5WsX+XXHnGQ6qHe7jgKvEnC3mSMph6F/VDF2kyjonwO9XEj X-Received: by 2002:a63:3758:: with SMTP id g24-v6mr27292527pgn.283.1525775955449; Tue, 08 May 2018 03:39:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525775955; cv=none; d=google.com; s=arc-20160816; b=VlnYeiSKyT7ka/fGU4CklTa7uUz+xERjZSvvjD2Y/lhN4WwiffBfmZTODJS8R3ra67 age3WTdk5XAGHJm5LGDvJWv5RUqeElhbr60IptVrkdAGbKco5DFnq0tKRc3501XBVK2L v9J5+WpRCf/kpVGSBxKJsJpXrmA5IkcoRSReuA2zghte/15MmjMYQkndyRFgHe+PrYL2 J5J0asqLKo0CdunM237UsrmdC1bA09q3jaknbGsjb2UfavZ4THiq8NOIzL+RZTdpCG+8 2E2iDv1ZoPYJPmXVwnliq2vqVjX2gIsRUvGcl7MuU8PxpfeSDFfz5Twv0LyvGPy5gcN2 9lkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature:arc-authentication-results; bh=GnEAuzYDZWWLueGYAZw4gI9TLkhgIN8gxx3eg2BZVgg=; b=XLD1mdo+8BLRZSLF3KGLuKw3wiEZr473DSYZ+hlrIQY3RW1IdhmWXG0eh4XdFCbLmN GiQYA+qRaq7BLG5GDuYr1rDh+awPPXmpwws5LLl0zIV04eIiC3d95+cc5iOl++ZXz/L9 mvpvm6jYKK/C6wVaPO8qap+2GvFQEVPzM7DI4i1d92w8oqq3+P05P2m7sdNcd/2+2CMY /SmzXyw01/ffZ9T72Lqj3bOSuQJ88U4xvSgwkZUlU1YW189C/s+ZapqEbDnzrHiFq7+n vh8DFRnAUcdiKCI2jiqZLDwOkmCRoD3H5spThcveiF1sbSZ7Hi8jQyjcs3PyZzJADJ4b qi0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=h4P2KSJX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w12si16292575pfd.113.2018.05.08.03.39.01; Tue, 08 May 2018 03:39:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=h4P2KSJX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932187AbeEHKit (ORCPT + 99 others); Tue, 8 May 2018 06:38:49 -0400 Received: from mail-wr0-f173.google.com ([209.85.128.173]:36814 "EHLO mail-wr0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754476AbeEHKiq (ORCPT ); Tue, 8 May 2018 06:38:46 -0400 Received: by mail-wr0-f173.google.com with SMTP id p4-v6so1478347wrh.3; Tue, 08 May 2018 03:38:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=GnEAuzYDZWWLueGYAZw4gI9TLkhgIN8gxx3eg2BZVgg=; b=h4P2KSJXg3xDcuQy2kfCf3Jear5wTwn6aJQ35Sb6sTYDzFB3ScuzZxw1TKqe2yQYIY j4LqWjTYlluz5ybifRCv0rwVAgeNmswG2vk7nldwL9IOclWTuGPK+SyhwkLDhsmOUtLr d/CsqyayGTLXIILabbwyO6YGdH7b7yl2icGo7M7fystG3o8HkzpfkmIYDak6oFsTk/Bm UQX9/pkoWgmUqf7qBvxc5vlpnDxxQQofayddWrtBLzLrqj2KsROONLbDNAr2N/cgGFoU ZuYL9XF9fWY/Vh3l/S7wqz343jJdnoKkhrRsJZsD3HnRLwSoenSCGTPTkGxiByqCEwwd dy9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=GnEAuzYDZWWLueGYAZw4gI9TLkhgIN8gxx3eg2BZVgg=; b=VoSziMF4nOELPGRikIuq13FTCNrVSdaeCaotbyJeGtNCNNlWje/RpztzoHBUM3WIRv C601VgU7Kl48xKnm4G0AgTyoiFFYUApwFVhdp5ViTgGo4lQ/Clht7Mwen6d278IqeJC9 CkD2dHrEdeiexMBCLr7CV+F8aE/1QOZr3U+cM1CeSd3JMtEuY1S31mqn5z8g1Aq3eYHB lkNJmIcN3HLg4eQFkuvNOHUmLogWcG1MlfqomAfeZyI3MMgjCo1pxCT0+CdKOC8XNjoK 78dWg3ej/RYhcUko6M0eSNpa4PR86ONraMlvj41ttLgkveqA7KC83zXerglo0iAYRZn/ p3uw== X-Gm-Message-State: ALQs6tDsN1EeZ6eNaZCaZpr565TKyr5b2BACRSgINpxlc11DvvQ48mpo CN7aM6uG+JvvgexReza6uKQKiA== X-Received: by 2002:adf:87ab:: with SMTP id b40-v6mr34828377wrb.156.1525775925397; Tue, 08 May 2018 03:38:45 -0700 (PDT) Received: from lt530 (ip-176-199-71-134.hsi06.unitymediagroup.de. [176.199.71.134]) by smtp.gmail.com with ESMTPSA id u37-v6sm26433280wrb.53.2018.05.08.03.38.44 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 08 May 2018 03:38:45 -0700 (PDT) Date: Tue, 8 May 2018 12:38:36 +0200 From: Daniel Scheller To: Colin King Cc: Mauro Carvalho Chehab , linux-media@vger.kernel.org, kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH][media-next] media: ddbridge: avoid out-of-bounds write on array demod_in_use Message-ID: <20180508123836.0b5c2f7f@lt530> In-Reply-To: <20180507230842.28409-1-colin.king@canonical.com> References: <20180507230842.28409-1-colin.king@canonical.com> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Colin, Am Tue, 8 May 2018 00:08:42 +0100 schrieb Colin King : > From: Colin Ian King > > In function stop there is a check to see if state->demod is a stopped > value of 0xff, however, later on, array demod_in_use is indexed with > this value causing an out-of-bounds write error. Avoid this by only > writing to array demod_in_use if state->demod is not set to the stopped > sentinal value for this specific corner case. Also, replace the magic > value 0xff with DEMOD_STOPPED to make code more readable. > > Detected by CoverityScan, CID#1468550 ("Out-of-bounds write") > > Fixes: daeeb1319e6f ("media: ddbridge: initial support for MCI-based MaxSX8 cards") > Signed-off-by: Colin Ian King > --- > drivers/media/pci/ddbridge/ddbridge-mci.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/drivers/media/pci/ddbridge/ddbridge-mci.c b/drivers/media/pci/ddbridge/ddbridge-mci.c > index a85ff3e6b919..1f5ed53c8d35 100644 > --- a/drivers/media/pci/ddbridge/ddbridge-mci.c > +++ b/drivers/media/pci/ddbridge/ddbridge-mci.c > @@ -20,6 +20,8 @@ > #include "ddbridge-io.h" > #include "ddbridge-mci.h" > > +#define DEMOD_STOPPED (0xff) > + > static LIST_HEAD(mci_list); > > static const u32 MCLK = (1550000000 / 12); > @@ -193,7 +195,7 @@ static int stop(struct dvb_frontend *fe) > u32 input = state->tuner; > > memset(&cmd, 0, sizeof(cmd)); > - if (state->demod != 0xff) { > + if (state->demod != DEMOD_STOPPED) { > cmd.command = MCI_CMD_STOP; > cmd.demod = state->demod; > mci_cmd(state, &cmd, NULL); > @@ -209,10 +211,11 @@ static int stop(struct dvb_frontend *fe) > state->base->tuner_use_count[input]--; > if (!state->base->tuner_use_count[input]) > mci_set_tuner(fe, input, 0); > - state->base->demod_in_use[state->demod] = 0; > + if (state->demod != DEMOD_STOPPED) > + state->base->demod_in_use[state->demod] = 0; > state->base->used_ldpc_bitrate[state->nr] = 0; > - state->demod = 0xff; > - state->base->assigned_demod[state->nr] = 0xff; > + state->demod = DEMOD_STOPPED; > + state->base->assigned_demod[state->nr] = DEMOD_STOPPED; > state->base->iq_mode = 0; > mutex_unlock(&state->base->tuner_lock); > state->started = 0; Thanks for the patch, or - better - pointing this out. While it's unlikely this will ever be an issue, I'm fine with changing the code like that, but I'd prefer to change it a bit differently (ie. DEMOD_STOPPED should be DEMOD_UNUSED, and I'd add defines for max. tuners and use/compare against them). I'll send out a different patch that will cover the potential coverityscan problem throughout the end of the week. Best regards, Daniel Scheller -- https://github.com/herrnst