Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3224297imm; Fri, 19 Oct 2018 07:13:08 -0700 (PDT) X-Google-Smtp-Source: ACcGV60ScrL01/9QpTiSu2YYM7o9DdIjRjqOi62P2K7GfoS4dCVVouZ8h5Guq1xBgn1zsv9QQ//8 X-Received: by 2002:a17:902:7c8a:: with SMTP id y10-v6mr33487951pll.322.1539958388406; Fri, 19 Oct 2018 07:13:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539958388; cv=none; d=google.com; s=arc-20160816; b=FP6hi30LFIkA89omKn+VbMWzjqP0eSY1JSaDtFPMshu3PYaasHKJDhcVmME0VMBcsy ostWQzgOo133O91KBhgED8vVmdbFARKWDy85OjipJ6Q2Y+ltXZlDLcbuarCUkA16pomZ PARmgg4m3wFYIptFEcKpmH6/F9qU9bp8hKD8yaqybqHt4zCPGHuLQK2p4GNTsJNZWZt4 rMtWtQ5HkOxOVcHPX6Qo1F/aHFcUHTQ0NkKdPasIt0qWeQPLXQAYAOrk38nSRoKvX1MC 5hPnE8PL3yKman6iFjLHcvUzLMy23GiLACCs+zX9FhM6unBl5Jip24ogffmC9P52mta5 B+Lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=IdR5RWyi13UjuFxFx/MYrdfMzBlnARDvWIhmLOIXZLs=; b=qHH8G/KuRJNqXfo7D5UwQvHgvWx4g9ZULO7rvo8povUtESoPyNp0CbXgxltd8e14NH 7pY0Q5DqxeoICADmiLLrtNFJ1o1xgkTygRNLVqacRnTcM+f35FX2MzL/5a4xLhV5HAKT y6Kk6E+gcYs2AyKoJ2q9FKnT/RIo4NIZIfiiL4DUCLjhGHKbTEDAnPHKSs1f9Gv9fqu2 luoOoLBY3SC3XF8Kmd6PYClYGmlhjkfaLxFL1268y3cD+a3viUpDcJwQcUf8bQ/g3nnR vDy3u/8GLdZquhg8+oV8dl0szY2IDAk6oovccXURS+Jx6WROtvhZP25rwyg9YGH3rIUv fxYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=AYCD5ASs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 33-v6si12844158plv.207.2018.10.19.07.12.50; Fri, 19 Oct 2018 07:13:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=AYCD5ASs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727516AbeJSWSm (ORCPT + 99 others); Fri, 19 Oct 2018 18:18:42 -0400 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:57252 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727459AbeJSWSm (ORCPT ); Fri, 19 Oct 2018 18:18:42 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id E568CB15 for ; Fri, 19 Oct 2018 14:12:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bv8LpSe72A5M for ; Fri, 19 Oct 2018 09:12:22 -0500 (CDT) Received: from mail-io1-f70.google.com (mail-io1-f70.google.com [209.85.166.70]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id B8DD3B7F for ; Fri, 19 Oct 2018 09:12:22 -0500 (CDT) Received: by mail-io1-f70.google.com with SMTP id z9-v6so28336305iog.18 for ; Fri, 19 Oct 2018 07:12:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=IdR5RWyi13UjuFxFx/MYrdfMzBlnARDvWIhmLOIXZLs=; b=AYCD5ASs8NKY/0uwfFT1Ql/lJATcMCG2qPWrfIslEvTOvLA18rOtyvYrTADO2OtdkX U8sxGRKZ7CgievdV52byps+cBcQbcC7vP0htTpu7lNWDYd94XSnot+sb3RTITsVLMLRm cegrJV8zRqkJi/ZizoIQ4DOhPkry2yQPke54JCngg401juHosZ0PA4jXE7X5zhM7f+3X qCHsTaRjvH+XQIrIYsgq/64eJAaQ/mkAA8iy1dJ8tmLY0fucch0DjG9OhCC7cvuQIUZd auxWzenF/lswEsBPlCJgb+T+scSW2fz+15RDsWuIR00YKUrjtnjJ/visE35QHVs4N2Xa I1bA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=IdR5RWyi13UjuFxFx/MYrdfMzBlnARDvWIhmLOIXZLs=; b=LoteYuYNDsDkosXZlvRoueeMdOX7J43FVvHQA8aeS9Aq+CoC2Bjll5jeE+fL7cxx/d sksUMfAA7djHPWb0qWrKirYsf0mbjWg4L1A/7ovB/K4O1zY5S5lQUTEYj2imRxJ1gSe0 sHH8F4L4XUuWd9avQsQrMZKSN/+EnkqYcfrdUtRZy5Yqv83tMN1F3ba51EhzaMqYF9AN +kVMApfGx0pwv329bW7qEwGCLFkgwxCtCVxtAFXbVxyBwIfkw4cU3nbJpqMKu6B/ZOLN rg9JdKLMCbo77bg+T9knSCIDJIr8clHWyfCve56McDmL/9nWnCjflya5KL9T6NWXGxD8 1IGg== X-Gm-Message-State: ABuFfogy0cdp1x3snY84dOztgtyifR4T0NyI/EE7mGIVEW2oF+NcZ6aw 8wvfjL3iY4Up4CsuebdUME5s1NvjywFTbNp1wi8Yn5/IDGWCUw0AXFJdueF2MurN0dUONrvnJP9 H6RjZ1a32+d0qpxaGZP3PG65rZ/qA X-Received: by 2002:a24:5314:: with SMTP id n20-v6mr3149667itb.37.1539958342305; Fri, 19 Oct 2018 07:12:22 -0700 (PDT) X-Received: by 2002:a24:5314:: with SMTP id n20-v6mr3149655itb.37.1539958342115; Fri, 19 Oct 2018 07:12:22 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id a14-v6sm7324499iod.53.2018.10.19.07.12.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 19 Oct 2018 07:12:21 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Mauro Carvalho Chehab , Al Viro , linux-media@vger.kernel.org (open list:MEDIA INPUT INFRASTRUCTURE (V4L/DVB)), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] media: dvb: fix a missing-check bug Date: Fri, 19 Oct 2018 09:12:13 -0500 Message-Id: <1539958334-11531-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In dvb_audio_write(), the first byte of the user-space buffer 'buf' is firstly copied and checked to see whether this is a TS packet, which always starts with 0x47 for synchronization purposes. If yes, ts_play() will be called. Otherwise, dvb_aplay() will be called. In ts_play(), the content of 'buf', including the first byte, is copied again from the user space. However, after the copy, no check is re-enforced on the first byte of the copied data. Given that 'buf' is in the user space, a malicious user can race to change the first byte after the check in dvb_audio_write() but before the copy in ts_play(). Through this way, the user can supply inconsistent code, which can cause undefined behavior of the kernel and introduce potential security risk. This patch adds a necessary check in ts_play() to make sure the first byte acquired in the second copy contains the expected value. Otherwise, an error code EINVAL will be returned. Signed-off-by: Wenwen Wang --- drivers/media/pci/ttpci/av7110_av.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/pci/ttpci/av7110_av.c b/drivers/media/pci/ttpci/av7110_av.c index ef1bc17..1ff6062 100644 --- a/drivers/media/pci/ttpci/av7110_av.c +++ b/drivers/media/pci/ttpci/av7110_av.c @@ -468,6 +468,8 @@ static ssize_t ts_play(struct av7110 *av7110, const char __user *buf, } if (copy_from_user(kb, buf, TS_SIZE)) return -EFAULT; + if (kb[0] != 0x47) + return -EINVAL; write_ts_to_decoder(av7110, type, kb, TS_SIZE); todo -= TS_SIZE; buf += TS_SIZE; -- 2.7.4