Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp256986ybi; Wed, 29 May 2019 20:47:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqyLatVeCjf6lVbfKGG5ozfobUByvG7whH2lfLiKUk+b8TG+8pZh5xOlbcXNNZ2Fbo8wG1vs X-Received: by 2002:a17:90a:b00b:: with SMTP id x11mr1471217pjq.61.1559188065747; Wed, 29 May 2019 20:47:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559188065; cv=none; d=google.com; s=arc-20160816; b=UYwHMDP5oOu/k56S8TetmhVN4Y0WogzEXQ5aQp6IjD0XCqWvgVSkFrt/No8ki3w7if 5lpJDxOlt0jPc9HctliosONK28ygySVP8sO0oyEFkqZW2ssZPs9XvYJkdKIhOj1eOCfy gq52/QEHF2Rs3RtdfmXqMynZNOxtJLhn82MiQNLko8Wm/GjhVClZt9oefUoKHSHLMFPQ zHDspjft/u77vcbIkq4XvS82gJMd1GkK4fL1/edeQw9bLSazko7/XaV+K/2Wxh5K4r/l tvUf7Isov2cnFaJ0KUvziAbQ7SX8+yLwymjKWowL4nrY6B/3G6kEgb4zU5fLib6gtH8v TwXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=waPr/a42za+yt5BditMFzlYGV/ChhbTrIwVHo7cNt3Q=; b=haZln+0yDXmxyZ/AK+kjT5bA3+u9rI54iZ4vFg+Fgeqyu1/88X2iiUxRhyyi5wPiz+ ucLqfqR4dOL40o9mwce24L4QgdoQox0QRXW5kVgrslr6KGQXl6qGWVQ5Mghy3Mm+ELDW SFU1jSc7Je2nDUF0d1kECjlJgrKrdT844OwlFfLfQxCru9r2OdEihQnHASykpW8nTWkD zIopYfmz3gfjQBckZL6iQIQpmnNPhhmLU4M4l9lHClPgpUtOO4guydBANKoJpJmLyPi3 DqbGr5za+B09vdqjGEh2QVbLTkTsu/CB8/XLGQecpVFgliEiH+dz9JT9VeMnMxmNkWOe vVzg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ApvSibe0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 14si2372935pfw.143.2019.05.29.20.47.29; Wed, 29 May 2019 20:47:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ApvSibe0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732926AbfE3DpA (ORCPT + 99 others); Wed, 29 May 2019 23:45:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:60312 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732367AbfE3DUw (ORCPT ); Wed, 29 May 2019 23:20:52 -0400 Received: from localhost (ip67-88-213-2.z213-88-67.customer.algx.net [67.88.213.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D6D722492F; Thu, 30 May 2019 03:20:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1559186451; bh=3TA2AzyxQEl+G5zh5dnkbqdGmZr3VF6U1/rc6Iz8bqU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ApvSibe03Y8gIqUaggIXgymjULeZpmraAJSWe8q4T2u6UkyPMhKC2W2zgpNwUMcbW qQAusZYe2eE2TODDQqfaKkaYjzjq6NSCjyGD0HMwMj588j4gwK+KWjeDNiit6KOSnV wi3+QaiHQKE/Utfey7OgI3N2qvze3M9LySDInFyU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Hans Verkuil , Mauro Carvalho Chehab , Sasha Levin Subject: [PATCH 4.9 063/128] media: pvrusb2: Prevent a buffer overflow Date: Wed, 29 May 2019 20:06:35 -0700 Message-Id: <20190530030446.046747137@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190530030432.977908967@linuxfoundation.org> References: <20190530030432.977908967@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit c1ced46c7b49ad7bc064e68d966e0ad303f917fb ] The ctrl_check_input() function is called from pvr2_ctrl_range_check(). It's supposed to validate user supplied input and return true or false depending on whether the input is valid or not. The problem is that negative shifts or shifts greater than 31 are undefined in C. In practice with GCC they result in shift wrapping so this function returns true for some inputs which are not valid and this could result in a buffer overflow: drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname() warn: uncapped user index 'names[val]' The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create() and the highest valid bit is BIT(4). Fixes: 7fb20fa38caa ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 ++ drivers/media/usb/pvrusb2/pvrusb2-hdw.h | 1 + 2 files changed, 3 insertions(+) diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c index 1eb4f7ba2967d..ff489645e0701 100644 --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c @@ -670,6 +670,8 @@ static int ctrl_get_input(struct pvr2_ctrl *cptr,int *vp) static int ctrl_check_input(struct pvr2_ctrl *cptr,int v) { + if (v < 0 || v > PVR2_CVAL_INPUT_MAX) + return 0; return ((1 << v) & cptr->hdw->input_allowed_mask) != 0; } diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h index a82a00dd73293..80869990ffbbb 100644 --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h @@ -54,6 +54,7 @@ #define PVR2_CVAL_INPUT_COMPOSITE 2 #define PVR2_CVAL_INPUT_SVIDEO 3 #define PVR2_CVAL_INPUT_RADIO 4 +#define PVR2_CVAL_INPUT_MAX PVR2_CVAL_INPUT_RADIO enum pvr2_config { pvr2_config_empty, /* No configuration */ -- 2.20.1