Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp222589pxk; Sun, 30 Aug 2020 00:27:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx5lbgMv8OFfRlyrQSsa/2V5VcfL1NSw1MfmK8yP1iaAibgNc24BzrgvdWwkWf3xcXX/Oxx X-Received: by 2002:a17:906:1719:: with SMTP id c25mr6825873eje.487.1598772461692; Sun, 30 Aug 2020 00:27:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598772461; cv=none; d=google.com; s=arc-20160816; b=hWEeRos6ikqhE0x0GKj0RM3+T+dp8sXaN4uvZYPYhbIS0jLSGiF4g7z2ISRx6Pq6UT UGrnYcy/15CO7XGvqtXZ9Mp2DAyanlkT9wfD6fjOHyXnxds3vRtm9niXLn7iboRcUFJG 2uPVUca9GTIYmzGC+tUYgljNYLjr/tTAknw/plhKmBIVc8MvoIKwd3tnDHW1mHb0UvQc RLlWbZUJswrY1P655v6UudvuC8CdxVRrVunE08HYj4L5GJwaDMzLFzj5oHp8WTRXYAAN u6SdLxRcs5rzkw2LXla7GbeoHx3G86JWJwGwuIe5SKeVl/vuYp2Ay0AqjqX1SOArLMF2 j6rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=qXYwnKOLWhNEPwD7rAPdp+REQXK8wa3fmfB24QwWBxI=; b=eZa2/u64lwe/NiAVRgLMIRG2aVRs74bIvGClcwZGooi9kD1XbVJUJpzD8Ozwsn+eLL neqIseCH2I8oaHEpoBMMZYf6XYGEPatc+udoMGn7vq7GqeJL+26+c7pfrtaRrLpR09JP 5O4YYPINkJKei5PTg0HaV6QBgUe6pjpllndVOctR37Bkxeb7mS3YPNV2xi8q+gamrjaN 9oWaqQEe5eeRkAwklAJKsCLDX2vpbL8RoFtTjiiCI/sF85Ctm3t/wAzV1BPKPfB5e+MP MnJ1Nvc6vWlLSUx0LKtJsfofq7Ij1Ule2rJv+Yzr8+faUtzB1Wg6VKNeppiXlKKVKaQG 15XQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v13si3737455edl.376.2020.08.30.00.27.19; Sun, 30 Aug 2020 00:27:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726528AbgH3HYi (ORCPT + 99 others); Sun, 30 Aug 2020 03:24:38 -0400 Received: from zg8tmja5ljk3lje4mi4ymjia.icoremail.net ([209.97.182.222]:58880 "HELO zg8tmja5ljk3lje4mi4ymjia.icoremail.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1725934AbgH3HYh (ORCPT ); Sun, 30 Aug 2020 03:24:37 -0400 Received: from [166.111.139.123] (unknown [166.111.139.123]) by app-3 (Coremail) with SMTP id EQQGZQCHOSYnVEtfzRnPAA--.24490S2; Sun, 30 Aug 2020 15:24:23 +0800 (CST) Subject: Re: [PATCH AUTOSEL 4.19 08/38] media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq() To: Pavel Machek , Sasha Levin Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sean Young , Mauro Carvalho Chehab , linux-media@vger.kernel.org References: <20200821161807.348600-1-sashal@kernel.org> <20200821161807.348600-8-sashal@kernel.org> <20200829121020.GA20944@duo.ucw.cz> From: Jia-Ju Bai Message-ID: Date: Sun, 30 Aug 2020 15:24:24 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <20200829121020.GA20944@duo.ucw.cz> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-CM-TRANSID: EQQGZQCHOSYnVEtfzRnPAA--.24490S2 X-Coremail-Antispam: 1UD129KBjvJXoW7ur4UWryrCFWkJr48tw1rCrg_yoW8Jw13pF WIq3W0qFs5tF9IkrW2vrsFvaykAa4xJryDGwsrA34UArZ0gF1xCFWkJF4ru3ZYkF98ZayI qF4Yq342gryqqaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvFb7Iv0xC_KF4lb4IE77IF4wAFF20E14v26r4j6ryUM7CY07I2 0VC2zVCF04k26cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rw A2F7IY1VAKz4vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Xr0_Ar1l84ACjcxK6xII jxv20xvEc7CjxVAFwI0_Cr0_Gr1UM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I 8E87Iv6xkF7I0E14v26rxl6s0DM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI 64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r106r15McIj6I8E87Iv67AKxVWUJVW8Jw Am72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IY64vIr41lc7I2V7IY0VAS07AlzVAYIcxG8wCY 02Avz4vE14v_GF4l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxV Aqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r12 6r1DMIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6x kF7I0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVW3JVWrJr1lIxAIcVC2z280aVAF wI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVWUJVW8JbIYCTnIWIevJa73UjIFyTuYvj xU7LvtDUUUU X-CM-SenderInfo: xedlyxhdmxq3pvlqwxlxdovvfxof0/ Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020/8/29 20:10, Pavel Machek wrote: > Hi! > >> The value av7110->debi_virt is stored in DMA memory, and it is assigned >> to data, and thus data[0] can be modified at any time by malicious >> hardware. In this case, "if (data[0] < 2)" can be passed, but then >> data[0] can be changed into a large number, which may cause buffer >> overflow when the code "av7110->ci_slot[data[0]]" is used. >> >> To fix this possible bug, data[0] is assigned to a local variable, which >> replaces the use of data[0]. > I'm pretty sure hardware capable of manipulating memory can work > around any such checks, but... > >> +++ b/drivers/media/pci/ttpci/av7110.c >> @@ -424,14 +424,15 @@ static void debiirq(unsigned long cookie) >> case DATA_CI_GET: >> { >> u8 *data = av7110->debi_virt; >> + u8 data_0 = data[0]; >> >> - if ((data[0] < 2) && data[2] == 0xff) { >> + if (data_0 < 2 && data[2] == 0xff) { >> int flags = 0; >> if (data[5] > 0) >> flags |= CA_CI_MODULE_PRESENT; >> if (data[5] > 5) >> flags |= CA_CI_MODULE_READY; >> - av7110->ci_slot[data[0]].flags = flags; >> + av7110->ci_slot[data_0].flags = flags; > This does not even do what it says. Compiler is still free to access > data[0] multiple times. It needs READ_ONCE() to be effective. > > Thanks for this advice, I will submit a v2 patch soon. Best wishes, Jia-Ju Bai