Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3066022imu; Sun, 9 Dec 2018 16:29:41 -0800 (PST) X-Google-Smtp-Source: AFSGD/V/KBCNc1ie3mmelvfyO1Xz+w2j0P1Jy+iLKtK92r1sd6YEhA0C38h4bRow6t11yHBWnCPc X-Received: by 2002:a63:df50:: with SMTP id h16mr9132472pgj.421.1544401781002; Sun, 09 Dec 2018 16:29:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544401780; cv=none; d=google.com; s=arc-20160816; b=0qKn01DWi7sb3e8rp+Dro2ckJFVHEkvuFGtXqHrfvtyoplp0sB2vniBOKL0Fa6JF8C Go/cKRifSJblRclFBJd1k9WoDbfhh75Ryrt3sMVcDLo/Ese/m3qEJTJjtyWSiM2JPRYZ z1fGS515ZU22k3SiLTPiTKvSW+3aQcX3ZOb5WZEXM9Nx3R5P3d56SJPZgi1jhBlhUwkS Y2LZR4AorJofu86VS3j6DLDexkXaDQAGmrvaVWDFU81/Ygnob7pi8I5OXRo1616V2pRR AGN3SUuRWAhVI45OLwXhgL+Ty4mM+r7mekKkjIc9121gs+sqM8ul8FAp4UU9434m/ARs m/2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=RX39H7PczfrLU5anMekOZMyb3VlcEnlaSXsgBeEFXBE=; b=x9IZUYIOHVXfxlYwVR1rVVigtnVb1uSpSbXiorY+Xvy3qpjbwkdel6ssrpgUynxj6z woA+fR39SyRr4+MgbeEssQ//wwLc6gdpBddo8u+JKkvcEpFyQsECZDbcWdAU3nDhzcY8 MAJfhDZdv54FMLDVDGyuaIieCnv/mfj92lKr1FXma00ZzKegptbjsBbDY5j01mtcjMF8 mspAcBSDKW8y9555SRC/dQEAMXC0azJJnLea53RSNyTZC415p57EJCfekEDXAb9gf/uT K+tnYEqP6/sqqDRvmjBsLvLuoOI1cQrq9GBaLXu9I9LAXmngqs3/gV91+wVdSREFsB+t p3Og== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t186si9304375pfd.68.2018.12.09.16.29.25; Sun, 09 Dec 2018 16:29:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727841AbeLIWJN (ORCPT + 99 others); Sun, 9 Dec 2018 17:09:13 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:37392 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727223AbeLIWJH (ORCPT ); Sun, 9 Dec 2018 17:09:07 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW73F-0002ik-Ly; Sun, 09 Dec 2018 21:55:49 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72c-0003Mk-PQ; Sun, 09 Dec 2018 21:55:10 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Mauro Carvalho Chehab" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 119/328] media: rtl28xxu: be sure that it won't go past the array size In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Mauro Carvalho Chehab commit 845b978a871bff3707eee611b32e4be0b9a94dd2 upstream. smatch warns that the RC query code could go past the array size: drivers/media/usb/dvb-usb-v2/rtl28xxu.c:1757 rtl2832u_rc_query() error: buffer overflow 'buf' 128 <= 130 drivers/media/usb/dvb-usb-v2/rtl28xxu.c:1758 rtl2832u_rc_query() error: buffer overflow 'buf' 128 <= 130 The driver logic gets the length of the IR RX buffer with: ret = rtl28xxu_rd_reg(d, IR_RX_BC, &buf[0]); ... len = buf[0]; In thesis, this could range between 0 and 255 [1]. While this should never happen in practice, due to hardware limits, smatch is right when it complains about that, as there's nothing at the logic that would prevent it. So, if for whatever reason, buf[0] gets filled by rtl28xx read functions with a value bigger than 128, it will go past the array. So, add an explicit check. [1] I've no idea why smatch thinks that the maximum value is 130. I double-checked the code several times. Was unable to find any reason for assuming 130. Perhaps smatch is not properly parsing u8 here? Fixes: b5cbaa43a676 ("[media] rtl28xx: initial support for rtl2832u") Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c @@ -1379,7 +1379,7 @@ static int rtl2832u_rc_query(struct dvb_ goto exit; ret = rtl28xx_rd_reg(d, IR_RX_BC, &buf[0]); - if (ret) + if (ret || buf[0] > sizeof(buf)) goto err; len = buf[0];