Received: by 2002:a05:6a10:6006:0:0:0:0 with SMTP id w6csp1995276pxa; Sat, 29 Aug 2020 10:19:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyVIB6OAoCmdYPB2QSqx0KUZnRzGZjr0gK4YVM0fTKwKJZxCPzvnGGgJfYGmPfd9jRMCpLS X-Received: by 2002:a17:906:1604:: with SMTP id m4mr4282639ejd.6.1598721583049; Sat, 29 Aug 2020 10:19:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598721583; cv=none; d=google.com; s=arc-20160816; b=w4oMQmXNZrZR2gbjqHV7Y7MhddoKYKI4HLembbJp2CgD1Kw9qcX7W4yIrQyw+hZUlV vzh0Ef1/tkikuZcytc5EuqHf90tXravI4IW2HJT3LqcvMJ9Gvx8NYkZpCA5iVYJes3Q9 wif/omVmLwlxELv6L/FQZDgn91s/WWVbU+9lHR3cfDRrFe09dyhSMSdaUbnsK5Sto7AZ PVrVKqomMWG2Ylafq7Uo6TeuUtsNVW1DrIUsKcwATUHNTVtBEKsGfkC2PXSdVMIUZ0ze ntE0KT0F5aS40OjH+CCtcOlPL1sW53IDLpy7OtEQ1/TRTE6GaV++eVvj1J82X7pnH0gi Jp0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=Abea6inMfVSlTjXCmmUDoscLeR7JZvWI82yqPL3Qx8s=; b=qlapDCB6MSeAPPWJYGAp18OGScICuRVQGpadH1a5F8zgjyb7UcW8XhWkhv9b+vSkaR GC/vWSxKKYr0a2XS2y+AcJjZiRSRvlw+TNOQwz7n1Q/izoVT8ynj6uj33Is1NvWD/eTy 9hPbfcueDDlYOl4uIYk+yKe3voTvz5FP0zEi2erldf1950YuG0SqVev0yzRUQAR9zVwd 0sSnA0wiPCHYvl+oNH6z+1Sh4y4P3GPfmYHm0l7binkZgMMT29Dx3YT6O9mFB9AHcStu I85fepKqqTB4e3qe5exXU/+EthN2qliQSdzLxmplk+jSMW5JWP+9+N4QZj0NevB1CDsz P4oQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b="eatXXiu/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d11si1860222edu.494.2020.08.29.10.19.20; Sat, 29 Aug 2020 10:19:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b="eatXXiu/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728280AbgH2RQZ (ORCPT + 99 others); Sat, 29 Aug 2020 13:16:25 -0400 Received: from perceval.ideasonboard.com ([213.167.242.64]:34236 "EHLO perceval.ideasonboard.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728105AbgH2RQY (ORCPT ); Sat, 29 Aug 2020 13:16:24 -0400 Received: from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 4A007303; Sat, 29 Aug 2020 19:16:21 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1598721381; bh=CU4taoOmDFFhxm8biPJdqxmXviSj+cJCy+kfWTx+v4Y=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=eatXXiu/xs1ZWxxSvsVMx/+vF87ygwNUAh44oawI9uMl10KFjsicMvZRFIGTwAhpz YtnW5N1YBXXWHfgFMfAiZH6wzmhQlxq0PpN6JMNVNJ4y155f9ed/IzRIXkI8Vebdmt fcRB512voAIbAh6wmXQ1uz6O7a98B/QtmMS0hpcM= Date: Sat, 29 Aug 2020 20:16:00 +0300 From: Laurent Pinchart To: Pavel Machek Cc: Sasha Levin , linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jia-Ju Bai , Sean Young , Mauro Carvalho Chehab , linux-media@vger.kernel.org Subject: Re: [PATCH AUTOSEL 4.19 08/38] media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq() Message-ID: <20200829171600.GA7465@pendragon.ideasonboard.com> References: <20200821161807.348600-1-sashal@kernel.org> <20200821161807.348600-8-sashal@kernel.org> <20200829121020.GA20944@duo.ucw.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20200829121020.GA20944@duo.ucw.cz> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Aug 29, 2020 at 02:10:20PM +0200, Pavel Machek wrote: > Hi! > > > The value av7110->debi_virt is stored in DMA memory, and it is assigned > > to data, and thus data[0] can be modified at any time by malicious > > hardware. In this case, "if (data[0] < 2)" can be passed, but then > > data[0] can be changed into a large number, which may cause buffer > > overflow when the code "av7110->ci_slot[data[0]]" is used. > > > > To fix this possible bug, data[0] is assigned to a local variable, which > > replaces the use of data[0]. > > I'm pretty sure hardware capable of manipulating memory can work > around any such checks, but... > > > +++ b/drivers/media/pci/ttpci/av7110.c > > @@ -424,14 +424,15 @@ static void debiirq(unsigned long cookie) > > case DATA_CI_GET: > > { > > u8 *data = av7110->debi_virt; > > + u8 data_0 = data[0]; > > > > - if ((data[0] < 2) && data[2] == 0xff) { > > + if (data_0 < 2 && data[2] == 0xff) { > > int flags = 0; > > if (data[5] > 0) > > flags |= CA_CI_MODULE_PRESENT; > > if (data[5] > 5) > > flags |= CA_CI_MODULE_READY; > > - av7110->ci_slot[data[0]].flags = flags; > > + av7110->ci_slot[data_0].flags = flags; > > This does not even do what it says. Compiler is still free to access > data[0] multiple times. It needs READ_ONCE() to be effective. Yes, it seems quite dubious to me. If we *really* want to guard against rogue hardware here, the whole DMA buffer should be copied. I don't think it's worth it, a rogue PCI device can do much more harm. -- Regards, Laurent Pinchart