Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp721035imu; Tue, 27 Nov 2018 05:26:45 -0800 (PST) X-Google-Smtp-Source: AFSGD/XGlZdv/4VVDjUXjpda5CC9jdBt/HyVyL4UGYbbWmvXL17pViZ78eYi4YKKxVt6yWhUCee1 X-Received: by 2002:a63:c503:: with SMTP id f3mr28504112pgd.431.1543325205548; Tue, 27 Nov 2018 05:26:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543325205; cv=none; d=google.com; s=arc-20160816; b=DsgOVGGicJ7R+TA07Ar3/FB4RBaXbItVD9X0puLBWRvIlNegC+QZdQCTzAPVl7RTOL y+OEI6Pj9ECwpJl1etT0pQLsfJnaCT5ekBGxf6kYZbocnGXZVgUwZqi0Z1ys/DPPS7aS 21Gcx+JRv8C8Y03E3uGNyQ8Zfx/rcHWWF/ASIV86pPS4Z0A50OVoxFX4dmA4PDOlOdqr WgNePM4dyYXIj1z6d2k7CAq8jiR7YhWYYU/fwjP8qc7eMN/a/PSCCvSOXmKRrNqBQqSb tRfiXGCN+zSocoLxjcoelIft6uvY3nRHZtOOt+QRKeP6m0f5yY4iX7+ATB8OSgpVvPvv qJ+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=0LpWaUdMnlNmM42ky6FaUEU9rm20Dr4F2fl/m1ZcCYg=; b=crNoIhEs6efpzL8/EPMzrb3qy5LrxU3AyVeIBwF7jctEeUeUh/tuWUVKQOlNi5+an7 YoddMPepdGEyGklRJV58WMxuCntLGWm/vgveBSkfuhqNuwzf8LbxhibTZ+tY5mZhkeat +nAx3si4vPId8cHunaNHIrFvC/6i80vpihnFjT2HNuYnkEVnb3yqX7MAxwqee8vEwkjI I3+bOE1cS4nX/05lydU0VC3Y9gjJZx+IYqTieNX0ro1a7hhkivtN8CpepPIEvWJXb66+ AOI1Q00VCjTeKUoZvuCJLP5y+1knYIb2Waa+dBD4NdbxXhkF1i+FedyaO+Vth5gvn187 doYw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 33-v6si4041203plk.407.2018.11.27.05.25.58; Tue, 27 Nov 2018 05:26:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730856AbeK0Vkz (ORCPT + 99 others); Tue, 27 Nov 2018 16:40:55 -0500 Received: from gofer.mess.org ([88.97.38.141]:39103 "EHLO gofer.mess.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726576AbeK0Vkz (ORCPT ); Tue, 27 Nov 2018 16:40:55 -0500 Received: by gofer.mess.org (Postfix, from userid 1000) id 9B49D60317; Tue, 27 Nov 2018 10:43:25 +0000 (GMT) Date: Tue, 27 Nov 2018 10:43:25 +0000 From: Sean Young To: Wenwen Wang Cc: Kangjie Lu , Mauro Carvalho Chehab , viro@zeniv.linux.org.uk, "open list:STAGING - ATOMISP DRIVER" , open list Subject: Re: [PATCH] media: dvb: fix a missing-check bug Message-ID: <20181127104325.x23qy6cq6ddxee57@gofer.mess.org> References: <1539958334-11531-1-git-send-email-wang6495@umn.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Wenwen, On Mon, Oct 29, 2018 at 01:46:04PM -0500, Wenwen Wang wrote: > Hello, > > Can anyone confirm this bug? Thanks! > > Wenwen > > On Fri, Oct 19, 2018 at 9:12 AM Wenwen Wang wrote: > > > > In dvb_audio_write(), the first byte of the user-space buffer 'buf' is > > firstly copied and checked to see whether this is a TS packet, which always > > starts with 0x47 for synchronization purposes. If yes, ts_play() will be > > called. Otherwise, dvb_aplay() will be called. In ts_play(), the content of > > 'buf', including the first byte, is copied again from the user space. > > However, after the copy, no check is re-enforced on the first byte of the > > copied data. Given that 'buf' is in the user space, a malicious user can > > race to change the first byte after the check in dvb_audio_write() but > > before the copy in ts_play(). Up to here your analysis makes sense. > > Through this way, the user can supply > > inconsistent code, which can cause undefined behavior of the kernel and > > introduce potential security risk. So how can this cause undefined behaviour? > > This patch adds a necessary check in ts_play() to make sure the first byte > > acquired in the second copy contains the expected value. Otherwise, an > > error code EINVAL will be returned. So what about the other case, if dvb_play() was called due to the first byte not being 0x47 and then swapped for 0x47? Sean > > > > Signed-off-by: Wenwen Wang > > --- > > drivers/media/pci/ttpci/av7110_av.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/drivers/media/pci/ttpci/av7110_av.c b/drivers/media/pci/ttpci/av7110_av.c > > index ef1bc17..1ff6062 100644 > > --- a/drivers/media/pci/ttpci/av7110_av.c > > +++ b/drivers/media/pci/ttpci/av7110_av.c > > @@ -468,6 +468,8 @@ static ssize_t ts_play(struct av7110 *av7110, const char __user *buf, > > } > > if (copy_from_user(kb, buf, TS_SIZE)) > > return -EFAULT; > > + if (kb[0] != 0x47) > > + return -EINVAL; > > write_ts_to_decoder(av7110, type, kb, TS_SIZE); > > todo -= TS_SIZE; > > buf += TS_SIZE; > > -- > > 2.7.4 > >