Received: by 10.192.165.148 with SMTP id m20csp318726imm;
        Wed, 9 May 2018 13:15:23 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZrBKkSkdWxseVhp9d7NhDO7sTM3F4VrQb3zhnd4qimfw9OnWqojx8E9Ai0MUfHSV0MAfiCS
X-Received: by 10.98.48.133 with SMTP id w127mr23144072pfw.224.1525896922950;
        Wed, 09 May 2018 13:15:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525896922; cv=none;
        d=google.com; s=arc-20160816;
        b=MrjL77t6dolZMF3BG29lkykON09FO3zRNBTVKehK0pHDN06pqxiHvx4caasjgaHrUm
         Tm3TrUILFvWQdHsNb1PGvpFV7qsMlhNNaOSaOcKsOMyd+qLK145H8FgFjDCgZQrYXGcc
         Y+QDv8rlY35f5NT0gAW3EUd4249DjhLmB3uj7lpXR0TVAxIhXZro15zZdTGNk4M64Yy3
         ElWzEnQmzxuj6IHryNaufLs+E2Y1LjNtHugY1nejTlQ4I560pocUmsdd0o7KQg42GaRl
         4JMI2V2Y5CZxJI1tboApeMDdZhlqVZ7kh/mgCw0P0BmaHPUZB7J33e6LFYudyZ8oM/kz
         499g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:subject:cc:to:from:date
         :dkim-signature:arc-authentication-results;
        bh=/amBCLeasu7NFtEucS66cMWrS+WSkVLDvVJUEuCbI3A=;
        b=JVVz9iRftOaioGfNZwZBEMSy7Qyl9PC6pWSIuEnYywRwmDtgOsKJFE+h5CS8CV6S8/
         yGYRCgUFpEjh0AtMMK6G8LgqVu1B4iDeY7LasXYA6csHLv6QZBBlG7vQlHcOqwQENNR0
         52F9Zx1gZElTlbkrsBRXuJyvHN3uxOOlUqfF0w39CWUbhF3k3q/oN+EgXoP9jiZngbYZ
         ty4ln9rMn4XrdEPP55s670bAQhZZw4Ly4vVv6hidGfIMCSbRPcoDhnLQge+AXlYC90Va
         y99s+WHk7dqO5p1ECWiddebJDl2gnV+nSkOJdgcpxcsqc7pS/KMH/C4KjNHrtcUCP1rj
         3XOQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=T2dmtKFe;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t16si10771884pfm.136.2018.05.09.13.15.08;
        Wed, 09 May 2018 13:15:22 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=T2dmtKFe;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S935582AbeEIUNR (ORCPT <rfc822;mailist1go@gmail.com> + 99 others);
        Wed, 9 May 2018 16:13:17 -0400
Received: from mail-wr0-f194.google.com ([209.85.128.194]:40224 "EHLO
        mail-wr0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S934932AbeEIUNP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 9 May 2018 16:13:15 -0400
Received: by mail-wr0-f194.google.com with SMTP id v60-v6so36715573wrc.7;
        Wed, 09 May 2018 13:13:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=/amBCLeasu7NFtEucS66cMWrS+WSkVLDvVJUEuCbI3A=;
        b=T2dmtKFeAANIU8JsVMihLoXwmgcAIhSIfWxUCcDjUI+yZSeAYiJdM8/w6itq7EJpH/
         Az5gC3+AlYWjnfgqRE0M6tx673OcruMpktzxmiAYCqdsLsAdUY/haXRxR/+XY2Cl7PMj
         yO9/MrgHaGPiaKGTwky86wm3Yh4IQws929jMsjwa4N2KSMOYRjsqrti9r8JPPkR6MHK5
         ulJvnpSloaH/6DX1m+/xD8VXKy8vify+XsE3i4TzVLpzEk0/NOnWJTgzxC0GfO4IBzzY
         91LwpEmHqu880xR+QL4zvEhbID4fjL+IwyzpsrVRZ1mPiUsJSF7pK+Ui7VLGW9PfL843
         Ye8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=/amBCLeasu7NFtEucS66cMWrS+WSkVLDvVJUEuCbI3A=;
        b=Jp9c60u4ttUSFuIb9oqiIs9v50d6Eie3iOTfjeQKU9aAyjy3xfVYRSg4PVhxUQEDK7
         2QZX1xzH9ZPaA8CeQlX2F7kpSdQ8w4lPJuIgwqKYsdPmXeBpL31t2wUNrEHDwk2lZDxV
         dBMpS9w3WDKtnvjM6GQTUNNeGS9GhLAGzulUYVMNGFDjY/alK6ELvJ7D4iW4iNp6Eevg
         y4vvXQdX2R3PMaj/A8PC7I6bAAeSd1lKsJn6z9LF/RmsPtLuzy+YbUJ4+H1zTYfb8SWU
         SPLu9EhEF01Kifu2rkF7N2xlJPqW8UO5L0j8S3hqQrbPyiw/0mxhahLM2ve8Zt9ublhS
         SXCA==
X-Gm-Message-State: ALKqPwcFYsy/MLSAZMN74GaoALk6WZqb70mmmSSP5yEuPZElsUzG1vAZ
        iLNZ2Tn7cnRntqVeJG5fCiw=
X-Received: by 2002:adf:8486:: with SMTP id 6-v6mr2209995wrg.148.1525896793804;
        Wed, 09 May 2018 13:13:13 -0700 (PDT)
Received: from lt530 (ip-176-199-71-134.hsi06.unitymediagroup.de. [176.199.71.134])
        by smtp.gmail.com with ESMTPSA id z18-v6sm39496489wrc.36.2018.05.09.13.13.13
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Wed, 09 May 2018 13:13:13 -0700 (PDT)
Date:   Wed, 9 May 2018 22:13:06 +0200
From:   Daniel Scheller <d.scheller.oss@gmail.com>
To:     Colin Ian King <colin.king@canonical.com>
Cc:     Mauro Carvalho Chehab <mchehab@kernel.org>,
        linux-media@vger.kernel.org, kernel-janitors@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH][media-next] media: ddbridge: avoid out-of-bounds write
 on array demod_in_use
Message-ID: <20180509221306.708c2d52@lt530>
In-Reply-To: <c7ea26b7-d743-f2bd-fd0d-41421ae2778d@canonical.com>
References: <20180507230842.28409-1-colin.king@canonical.com>
        <20180508123836.0b5c2f7f@lt530>
        <c7ea26b7-d743-f2bd-fd0d-41421ae2778d@canonical.com>
X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Colin,

Am Tue, 8 May 2018 11:39:56 +0100
schrieb Colin Ian King <colin.king@canonical.com>:

> On 08/05/18 11:38, Daniel Scheller wrote:
> > Hi Colin,
> > 
> > Am Tue,  8 May 2018 00:08:42 +0100
> > schrieb Colin King <colin.king@canonical.com>:
> >   
> >> From: Colin Ian King <colin.king@canonical.com>
> >>
> >> In function stop there is a check to see if state->demod is a stopped
> >> value of 0xff, however, later on, array demod_in_use is indexed with
> >> this value causing an out-of-bounds write error.  Avoid this by only
> >> writing to array demod_in_use if state->demod is not set to the stopped
> >> sentinal value for this specific corner case.  Also, replace the magic
> >> value 0xff with DEMOD_STOPPED to make code more readable.
> >>
> >> Detected by CoverityScan, CID#1468550 ("Out-of-bounds write")
> >>
> >> Fixes: daeeb1319e6f ("media: ddbridge: initial support for MCI-based MaxSX8 cards")
> >> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> >> ---
> >>  drivers/media/pci/ddbridge/ddbridge-mci.c | 11 +++++++----
> >>  1 file changed, 7 insertions(+), 4 deletions(-)
> >>
> >> diff --git a/drivers/media/pci/ddbridge/ddbridge-mci.c b/drivers/media/pci/ddbridge/ddbridge-mci.c
> >> index a85ff3e6b919..1f5ed53c8d35 100644
> >> --- a/drivers/media/pci/ddbridge/ddbridge-mci.c
> >> +++ b/drivers/media/pci/ddbridge/ddbridge-mci.c
> >> @@ -20,6 +20,8 @@
> >>  #include "ddbridge-io.h"
> >>  #include "ddbridge-mci.h"
> >>  
> >> +#define DEMOD_STOPPED	(0xff)
> >> +
> >>  static LIST_HEAD(mci_list);
> >>  
> >>  static const u32 MCLK = (1550000000 / 12);
> >> @@ -193,7 +195,7 @@ static int stop(struct dvb_frontend *fe)
> >>  	u32 input = state->tuner;
> >>  
> >>  	memset(&cmd, 0, sizeof(cmd));
> >> -	if (state->demod != 0xff) {
> >> +	if (state->demod != DEMOD_STOPPED) {
> >>  		cmd.command = MCI_CMD_STOP;
> >>  		cmd.demod = state->demod;
> >>  		mci_cmd(state, &cmd, NULL);
> >> @@ -209,10 +211,11 @@ static int stop(struct dvb_frontend *fe)
> >>  	state->base->tuner_use_count[input]--;
> >>  	if (!state->base->tuner_use_count[input])
> >>  		mci_set_tuner(fe, input, 0);
> >> -	state->base->demod_in_use[state->demod] = 0;
> >> +	if (state->demod != DEMOD_STOPPED)
> >> +		state->base->demod_in_use[state->demod] = 0;
> >>  	state->base->used_ldpc_bitrate[state->nr] = 0;
> >> -	state->demod = 0xff;
> >> -	state->base->assigned_demod[state->nr] = 0xff;
> >> +	state->demod = DEMOD_STOPPED;
> >> +	state->base->assigned_demod[state->nr] = DEMOD_STOPPED;
> >>  	state->base->iq_mode = 0;
> >>  	mutex_unlock(&state->base->tuner_lock);
> >>  	state->started = 0;  
> > 
> > Thanks for the patch, or - better - pointing this out. While it's
> > unlikely this will ever be an issue, I'm fine with changing the code
> > like that, but I'd prefer to change it a bit differently (ie.
> > DEMOD_STOPPED should be DEMOD_UNUSED, and I'd add defines for max.
> > tuners and use/compare against them).  
> 
> Sounds like a good idea.
> 
> > 
> > I'll send out a different patch that will cover the potential
> > coverityscan problem throughout the end of the week.  
> 
> Great. Thanks!

JFYI, patch sent as part of a few other fixes and up at linux-media
patchwork:

https://patchwork.linuxtv.org/patch/49403/

Best regards,
Daniel Scheller
-- 
https://github.com/herrnst