Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3732229imm; Mon, 8 Oct 2018 08:39:40 -0700 (PDT) X-Google-Smtp-Source: ACcGV61AC/rIPEk0pyRljuHnLaca/S1Ecfif/bD5gvRcfjdpilpEpgYkHw7oaTs1REB2OZ58tf0Y X-Received: by 2002:a63:6946:: with SMTP id e67-v6mr21496314pgc.119.1539013179956; Mon, 08 Oct 2018 08:39:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539013179; cv=none; d=google.com; s=arc-20160816; b=O82AnddZ0NTaH3ZBfxCkV3+YIlmYTk+y4PaaSkh7aACbGP0c7S+UPatND0NKtvmDIM DKOa42X06bxGsL6qeoChncBCkYxI1Ftxp4jw/M18fp9CDdEOewt/jrwYxfd3Iv9jjKJS tqZUH8yNjUkIoWMU6gkarEsqrGlQ5uRpKJm/Oj94I2Hgp8Iyj/AZFP3x/BS42U5hPUoG GHeEfK1Q2cvB+Zx2zyg3UgXg4do5UNnN0jIPj+tKpF8hMslU2lrM06fH64rUgYcO15qT k9UqnMaL6VVewfBtk9rIgFFOxDR2d66BE3lMPrrx6covurZQ2sKu4el3tMlL6Zcljjkv cX8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=P2okYt8v/9pJwZGoQPD5pD7T6Qi1dfbx5TPHTNODFiE=; b=ONAAzNfVnm+HqnG/HWf11gW1OqIIYsO8Xtmm82UXGvgel/TRYuUvbySTbUVmsfBj0O oF+Qd6D5Re9ZmE8aFAEsofSPZidaAuPKj6awE3j8lq8muZHr56cffZ0ZpuSlgiuJV1+j MjPJW5gv06Qs/Uzn+er+n2v8DMIfac3ofcTuhfK/BvmzBtrgZ/K2akJIgg70N6Fy1bPo tHG/1c4we5YBt/BK/FNVYWgK3Fj3X3TElirsJwySvclnwJycdC6UBsMQlaUstV572r/b tQjWXL7mHn1kaEHB23wP4YhTnMssD+hRi5IKmEejzLrnmGDuYU3ldOddsrMcGUSdLW/9 By6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=n6uOTugl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 4-v6si19956048pfe.142.2018.10.08.08.39.24; Mon, 08 Oct 2018 08:39:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=n6uOTugl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726701AbeJHWhr (ORCPT + 99 others); Mon, 8 Oct 2018 18:37:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:55746 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726656AbeJHWhq (ORCPT ); Mon, 8 Oct 2018 18:37:46 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 54C1A20882; Mon, 8 Oct 2018 15:25:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539012332; bh=M1jApAVtan0XKlgYCvGn5G86G6AkNHO2606FWYNvuZM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=n6uOTuglJvlPTEO8vhJe1BMSrhEzECMR3VJU9UOleH9+JAstmZ9bskPJeI4nwRNrE fvlRTy9EPUcGM54e4wKf/i6OVF5+b4aJ/+TJyEWFZ7RaOv+W5SUYcijzWSVtmzqeSk FxbJvNSSyyFAvFj5GeheTORT3TSULbZ1QU2uOOVk= From: Sasha Levin To: stable@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Jozef Balga , Mauro Carvalho Chehab , Sasha Levin Subject: [PATCH AUTOSEL 4.18 04/58] media: af9035: prevent buffer overflow on write Date: Mon, 8 Oct 2018 11:24:29 -0400 Message-Id: <20181008152523.70705-4-sashal@kernel.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181008152523.70705-1-sashal@kernel.org> References: <20181008152523.70705-1-sashal@kernel.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jozef Balga [ Upstream commit 312f73b648626a0526a3aceebb0a3192aaba05ce ] When less than 3 bytes are written to the device, memcpy is called with negative array size which leads to buffer overflow and kernel panic. This patch adds a condition and returns -EOPNOTSUPP instead. Fixes bugzilla issue 64871 [mchehab+samsung@kernel.org: fix a merge conflict and changed the condition to match the patch's comment, e. g. len == 3 could also be valid] Signed-off-by: Jozef Balga Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/usb/dvb-usb-v2/af9035.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/dvb-usb-v2/af9035.c b/drivers/media/usb/dvb-usb-v2/af9035.c index 666d319d3d1a..1f6c1eefe389 100644 --- a/drivers/media/usb/dvb-usb-v2/af9035.c +++ b/drivers/media/usb/dvb-usb-v2/af9035.c @@ -402,8 +402,10 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap, if (msg[0].addr == state->af9033_i2c_addr[1]) reg |= 0x100000; - ret = af9035_wr_regs(d, reg, &msg[0].buf[3], - msg[0].len - 3); + ret = (msg[0].len >= 3) ? af9035_wr_regs(d, reg, + &msg[0].buf[3], + msg[0].len - 3) + : -EOPNOTSUPP; } else { /* I2C write */ u8 buf[MAX_XFER_SIZE]; -- 2.17.1