Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1087154imm; Thu, 4 Oct 2018 08:02:01 -0700 (PDT) X-Google-Smtp-Source: ACcGV63n55Mz6i7SkMET4s519AYw16nwZ/C0zIA00j08gJfFUTd9xEs2x3c18c8aSnf1CXN8x80y X-Received: by 2002:a17:902:7e49:: with SMTP id a9-v6mr6958324pln.149.1538665321559; Thu, 04 Oct 2018 08:02:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538665321; cv=none; d=google.com; s=arc-20160816; b=L2u1JOL+Url9sMQW2oQL9qZjld5npQOlOEJfmeMhk4AgSaK8E25z1IJNrIl0/2eT/A xxq3B4uUEVS1fdynMXCG0j+kYFKMkWMBdaQlmr1GfyZI3aez+GWpNDGdnr3Z5WxuJhS0 g2OOWRl+4sAHBAP3N5vTP8PR9tzRAX/GMQlxac0oFIbc5tz7QQfqTDBtz005na31aSSe LxLfM/xwkwFZfRyVFyQngCv0oaCD7Zl55DI8acJRItuOxuKf1a9Gczu8FK2ffoE7iAJA bn/ePBssOuzAXiIx2Yz2R2ONAPPFkf4gMvZuJG01eO9W781mzC458KRmp4lLvc7zNGSB 1Kvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=KgOOqyF0sYgd10fuDGON9f0ufK6sIlu+JI7XXVK630U=; b=T9hsVcBXC9gMOG3FM8Icwez7vf371iAKviZmATQ5qFOoXhaBWBf98dEUrzOE2j1GbN KQOjPjryv2hHg2oKGIqxhcV4ow7d/DwYkkKsfe2CbwEuP5J68ebDUL7RbmHXGz4FRV0i QeV0wyM75mnGJA4kkNdyi1T93qIPTwl4dghCwwnShuda5/4yQRqarVteQNJ8xXJEE33f 06uUzZIMFUE/UjSlBThW/wEL8PWXJxiaoSJzbcjv1DjJfHLauHlfCx03wUGcyYgd6P04 0JQCxMOe19EXQ5YzcmC8qRFpZQxXui/x1gCn1OBNPamM+fViEaeGYm1NhdoSg7i8KRks U6vQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b="LuDu2+/i"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w19-v6si5116085plp.304.2018.10.04.08.01.45; Thu, 04 Oct 2018 08:02:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b="LuDu2+/i"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727483AbeJDVxa (ORCPT + 99 others); Thu, 4 Oct 2018 17:53:30 -0400 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:52788 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727355AbeJDVxa (ORCPT ); Thu, 4 Oct 2018 17:53:30 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 702F1DC7 for ; Thu, 4 Oct 2018 14:59:49 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZqlCzItrYSTX for ; Thu, 4 Oct 2018 09:59:49 -0500 (CDT) Received: from mail-it1-f198.google.com (mail-it1-f198.google.com [209.85.166.198]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 49226CF5 for ; Thu, 4 Oct 2018 09:59:49 -0500 (CDT) Received: by mail-it1-f198.google.com with SMTP id v125-v6so10813993ita.7 for ; Thu, 04 Oct 2018 07:59:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=KgOOqyF0sYgd10fuDGON9f0ufK6sIlu+JI7XXVK630U=; b=LuDu2+/iCj4pxWq/zMTZoTz6rLQhtUmrYVZwtlJuW0RMpiayudT7h+VebufnHKZ4Qc y0hczb2SzC1+7VjzXgCKw9irnqavgbqoHgDoP6uggEraEH0TCJ0iE3kuRT5NnI9USEO4 7aWi/aLYyAXTVo/zhm4G+qXQ7W7+jpmfwqkwvT7f7TCD5G0bG8hRWtQHtzxkNtz2gsLl Ptta/+q30e2Mq7LaiZeABWsqIZXIE7gi3LUN7cnSECgI23dnHOKzm3mK09rhWm9KoruL rw+c6TVpwtHhaI78LcUtkB3MQoC2MeQFCig/isLMehjKvbotYx2LWkawcfiNkMBn+avy XbHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=KgOOqyF0sYgd10fuDGON9f0ufK6sIlu+JI7XXVK630U=; b=CRIH6EYKWHril+loiCuMIUXsCvckVmCSqtzTgbT/LdW2luDtN5/SB7Ab0saZoWgwG2 lvBm4GZsRb1HGi9sQv4isPEMovEQWI+WdSfrEpFzC6iLAIAfPmtgeTyalMOtLySWUmhl HsvGgK9+7S7ro8kRJYGmlBrkdx4Ph5ZpeKMPoDROkbK+mKFc++oAAdYmpRhbPlc2k2sT MlsbG4x+F1MZexNzvDyCu0UjgZG8V17vimcIj/HPTE6nOEDGnh7lIYYjTwHbGrhYM277 JGiOqSbYsPDX7XPTJAXOJPpyEo7t6rT3mWmsLsuIMOVKxJsftWUlNuEAj5Gzzj1SPj8E qPaQ== X-Gm-Message-State: ABuFfoh7HzqFka9af9Mji80QJ0eQG2xiNpeeOjYH8QKfozm2k6mvofcd i8qy8cWuHvkCoK3b61GKu/a+92pq+5NvczjjEe9mzAF3Qm5w5xHx7qAxSiZSTUgBbq4XFeE3BvX mal2MHsPju8EEwMcwdG/MK5986eFr X-Received: by 2002:a24:4386:: with SMTP id s128-v6mr4832546itb.151.1538665188911; Thu, 04 Oct 2018 07:59:48 -0700 (PDT) X-Received: by 2002:a24:4386:: with SMTP id s128-v6mr4832525itb.151.1538665188729; Thu, 04 Oct 2018 07:59:48 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id f74-v6sm2218755itf.20.2018.10.04.07.59.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 04 Oct 2018 07:59:48 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Mauro Carvalho Chehab , Al Viro , linux-media@vger.kernel.org (open list:MEDIA INPUT INFRASTRUCTURE (V4L/DVB)), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] media: dvb: fix a missing-check bug Date: Thu, 4 Oct 2018 09:59:36 -0500 Message-Id: <1538665177-17604-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In dvb_video_write(), the first header byte of the buffer 'buf' supplied by the user is checked to see whether 'buf' contains a TS packet, which always starts with 0x47 for synchronization purposes. If yes, ts_play() is called. Otherwise, dvb_play() will be called. Both of these two functions will copy 'buf' again from the user space. However, no check is enforced on the first byte of the copied content after the second copy. Since 'buf' is in the user space, a malicious user can race to change the first byte after the check in dvb_video_write() but before the second copy in ts_play(). By doing so, the user can supply inconsistent data, which can lead to undefined behavior in the driver. This patch adds the required check in ts_play() to make sure the header byte in the second copy is as expected. Otherwise an error code EINVAL will be returned. Signed-off-by: Wenwen Wang --- drivers/media/pci/ttpci/av7110_av.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/pci/ttpci/av7110_av.c b/drivers/media/pci/ttpci/av7110_av.c index ef1bc17..1ff6062 100644 --- a/drivers/media/pci/ttpci/av7110_av.c +++ b/drivers/media/pci/ttpci/av7110_av.c @@ -468,6 +468,8 @@ static ssize_t ts_play(struct av7110 *av7110, const char __user *buf, } if (copy_from_user(kb, buf, TS_SIZE)) return -EFAULT; + if (kb[0] != 0x47) + return -EINVAL; write_ts_to_decoder(av7110, type, kb, TS_SIZE); todo -= TS_SIZE; buf += TS_SIZE; -- 2.7.4