Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1867855pxk; Tue, 1 Sep 2020 09:36:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwWV/hBgIcr0rjQcL+impe3KpGUS1gXzxx82eTqDWx5gLfARM3cTJfHdK7hCetLY/PoH9c9 X-Received: by 2002:a50:af83:: with SMTP id h3mr2528054edd.139.1598978173803; Tue, 01 Sep 2020 09:36:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598978173; cv=none; d=google.com; s=arc-20160816; b=MgVkD+jzfPJDlYTQ9CmCVSbViTmHJ5ErZtN5ou1JuQI4r0A3bsyhDkISIarmgVci3E MtnZ2coK+/CJbHclfaifgL0Xl7O71ub7KLW6sKWjNvdvRi+sQQVLbYGUFsKrfvxI4uPC ahkc+2wrAPxH2SHoSMGhCzg/jms2Uk8G2zG4RKzjZJEEjhu5zs5rXAghMRCz8JRlNbZP A2aPWuxzhlS0aEo9EFJxly8NhRFSIjJOgY7jy0NUWP3U1gIkaX5P2BSGr2y65Dp8a6uV DqxsOKRUuh/tKFC16Jt9zVULcpTQfT1wiGWV2KhL0Zsc1vetKuWCCf8jc6Z/4X+P7/Rd RbWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=L4pE6ha2WGw9/MgAOQzs1intMveDn+xNQnK4tG378bc=; b=M4UF0U5M4iR+3ID7scOawKs/d7A01pZl/RurwauFZyYJx/1Bo5Qf4rp4+cy1GcM7lA M82P/M+ocJA/J/wExHMI3lZyMIYCsawQw15NirogLUquE0ZlMtgA0OQoZ61d9ZWHorbO Es7ZfqWXKoU89Y9uDeo6fSd6JQkD3HQT9XOCzfUFz51CpTTffb4wBtzRITHaLRmjzYyU FiG+Cmqpep7GSvLmx3v72qyhpDN9M/ldldRxYKKog5XsxAhvqCAc7UgzNVz9rJi+bpVZ do96E3yfriuuISDKTFalpoIpo3BZ13pYjKwRyezi2arvkdHEEKSk39yAotez8UulWqVZ CMiA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="L/iEuxCO"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v18si860114eda.321.2020.09.01.09.35.50; Tue, 01 Sep 2020 09:36:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="L/iEuxCO"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730863AbgIAQfE (ORCPT + 99 others); Tue, 1 Sep 2020 12:35:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:49268 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730758AbgIAQe4 (ORCPT ); Tue, 1 Sep 2020 12:34:56 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1EA5E2065F; Tue, 1 Sep 2020 16:34:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598978095; bh=HBkRRvQE+GiQk8IOw0FoaBIHoluBbUBv6L4fFWhsE5A=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=L/iEuxCO+KfmZi287JoZ65Tq12nYlzvVrD+ML3ClX0nNGPTK2N2lPuulBIkC9QUl/ 8rBiVmFR7U3ypc52pchwlRwqrwzLOUdwfvGIFFl1E7tbGDO8whMdDje1Zheb5V1Qpm 2NqKXJIiQXGMoOp5C+4Zd6y6OxtYfiJmivTRVmiM= Date: Tue, 1 Sep 2020 18:35:23 +0200 From: Greg Kroah-Hartman To: Sean Young Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jia-Ju Bai , Mauro Carvalho Chehab , Sasha Levin Subject: Re: [PATCH 4.19 016/125] media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq() Message-ID: <20200901163523.GA1458104@kroah.com> References: <20200901150934.576210879@linuxfoundation.org> <20200901150935.368387062@linuxfoundation.org> <20200901162512.GA30837@gofer.mess.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200901162512.GA30837@gofer.mess.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 01, 2020 at 05:25:12PM +0100, Sean Young wrote: > Greg, > > On Tue, Sep 01, 2020 at 05:09:31PM +0200, Greg Kroah-Hartman wrote: > > From: Jia-Ju Bai > > > > [ Upstream commit 6499a0db9b0f1e903d52f8244eacc1d4be00eea2 ] > > > > The value av7110->debi_virt is stored in DMA memory, and it is assigned > > to data, and thus data[0] can be modified at any time by malicious > > hardware. In this case, "if (data[0] < 2)" can be passed, but then > > data[0] can be changed into a large number, which may cause buffer > > overflow when the code "av7110->ci_slot[data[0]]" is used. > > > > To fix this possible bug, data[0] is assigned to a local variable, which > > replaces the use of data[0]. > > See the discussion here: > > https://lkml.org/lkml/2020/8/31/479 > > It does not seem worthwhile merging to the stable trees. It doesn't hurt either :) thanks, greg k-h