Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp23566pxk; Sat, 29 Aug 2020 14:25:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwkWPv9HxAVOuLvnJKyYP+4NTCRRaE0XhAoNFjDndGBEURRSS7XaZdVmU/MN78TxyTfttvs X-Received: by 2002:a50:fc0e:: with SMTP id i14mr4845767edr.346.1598736348236; Sat, 29 Aug 2020 14:25:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598736348; cv=none; d=google.com; s=arc-20160816; b=nEw6sDRzXd8sMhQP7hMctjGGyuLAEg9o5Tfw0kCEd0s9rrz3zdoGj+NcgMdMvYhZv9 hLGA0bP+YOPm8gXrQD5/PiJbT4v4ne9iw0CyZ6+ViPv+XRyIsYO5ZvwxqcfBh7M+FV21 lQrvNvmmZUxoAxKp66Cqy8amuoSdL/0ZntCBqSbGeKwZaeCPgSmG4QE/69hbftcKSXJO dw0knxj612ML3YUEAXjPsqYmYR80sm4rU4nd0UaM2RLpSejZNLjS5hqVcM2sfvLGLtli tJTfIlca8AreotIhu5h1RWNs7TMJY6mHKtMHhXFz+1jfUpam2WnmWQl3kMTO3gDd4Xyz 1Phw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=i96nEioTPElXPEdEXIQac6tMDEdjdLiRjm3psD0D6MA=; b=XbcOEL0kJ1+TUIsokQjn/mP04ZXA0ZU35Zd787+fyJOIAVMFrxZaRQ824U4FysPQxJ SXFrE/OfImIr3VqYqOnRePTuPb1jTqoUh8OD7Zvd2DC2neCcra0a95vXMp3LHY8jR67y q4ChWI78w2trZxgYnuhvZtpk5QL2pVB3R9tAffA4p2VPRIoWub65I/V1BVhG/k7T7h5F ihE71UxynOGIri2du/ks8K/jnCUrdd6yKyHz7/gtwLnwBs7nKa9uJsNSP3ijiyn/J1cF 3fkzXvHusMNNh8X7PsfJ3WD1V8p8ijhjCkK9D1aBrBpZcGWV8fWEhq+yDT/LdRMVggaO JaVA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b5si2334146eds.24.2020.08.29.14.25.25; Sat, 29 Aug 2020 14:25:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728493AbgH2VYo (ORCPT + 99 others); Sat, 29 Aug 2020 17:24:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60194 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728384AbgH2VYn (ORCPT ); Sat, 29 Aug 2020 17:24:43 -0400 Received: from gofer.mess.org (gofer.mess.org [IPv6:2a02:8011:d000:212::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 47A8EC061573; Sat, 29 Aug 2020 14:24:43 -0700 (PDT) Received: by gofer.mess.org (Postfix, from userid 1000) id AB734C638A; Sat, 29 Aug 2020 22:24:35 +0100 (BST) Date: Sat, 29 Aug 2020 22:24:35 +0100 From: Sean Young To: Laurent Pinchart Cc: Pavel Machek , Sasha Levin , linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jia-Ju Bai , Mauro Carvalho Chehab , linux-media@vger.kernel.org Subject: Re: [PATCH AUTOSEL 4.19 08/38] media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq() Message-ID: <20200829212435.GA9195@gofer.mess.org> References: <20200821161807.348600-1-sashal@kernel.org> <20200821161807.348600-8-sashal@kernel.org> <20200829121020.GA20944@duo.ucw.cz> <20200829171600.GA7465@pendragon.ideasonboard.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200829171600.GA7465@pendragon.ideasonboard.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Aug 29, 2020 at 08:16:00PM +0300, Laurent Pinchart wrote: > On Sat, Aug 29, 2020 at 02:10:20PM +0200, Pavel Machek wrote: > > Hi! > > > > > The value av7110->debi_virt is stored in DMA memory, and it is assigned > > > to data, and thus data[0] can be modified at any time by malicious > > > hardware. In this case, "if (data[0] < 2)" can be passed, but then > > > data[0] can be changed into a large number, which may cause buffer > > > overflow when the code "av7110->ci_slot[data[0]]" is used. > > > > > > To fix this possible bug, data[0] is assigned to a local variable, which > > > replaces the use of data[0]. > > > > I'm pretty sure hardware capable of manipulating memory can work > > around any such checks, but... > > > > > +++ b/drivers/media/pci/ttpci/av7110.c > > > @@ -424,14 +424,15 @@ static void debiirq(unsigned long cookie) > > > case DATA_CI_GET: > > > { > > > u8 *data = av7110->debi_virt; > > > + u8 data_0 = data[0]; > > > > > > - if ((data[0] < 2) && data[2] == 0xff) { > > > + if (data_0 < 2 && data[2] == 0xff) { > > > int flags = 0; > > > if (data[5] > 0) > > > flags |= CA_CI_MODULE_PRESENT; > > > if (data[5] > 5) > > > flags |= CA_CI_MODULE_READY; > > > - av7110->ci_slot[data[0]].flags = flags; > > > + av7110->ci_slot[data_0].flags = flags; > > > > This does not even do what it says. Compiler is still free to access > > data[0] multiple times. It needs READ_ONCE() to be effective. > > Yes, it seems quite dubious to me. If we *really* want to guard against > rogue hardware here, the whole DMA buffer should be copied. I don't > think it's worth it, a rogue PCI device can do much more harm. That is a good point. I'm not sure what the kernel could do to protect against a malicious PCI device (that can do dma) so this patch is totally pointless. Thanks Sean