rpms / kernel

Clone
Source Code
GIT

Blame si2168-Bounds-check-firmware.patch

26 Label_NFS f10 f11 f12 f12-user-myoung-xendom0 f13 f13-2.6.33-master f13-user-steved-pnfs-13 f14 f14-user-kyle-bz664206 f14-user-kyle-f14-2.6.37 f14-user-lkundrak-vaio-brightness-645937 f14-user-steved-pnfs-f14 f15 f15-2.6.39 f15-30-going-on-40 f15-user-steved-pnfs-f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f25-pf f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main oneoffs private-jcm-arm-nosmp-kallsyms private-jcm-arm-nosmp-kallsyms-f17 private-nhorman-sgx-v15 rawhide rhbz_1205083 stabilization talos user/steved/f19-lnfs-v3.8 user/steved/f19-lnfs-v3.8-rc7
  1.   92c1f2edcf74cbcce7dd67afa0b75386d12f0cd3
  2.   si2168-Bounds-check-firmware.patch
Blob History Raw
48f65f6 
From 43018528944fa4965a4048fee91d76b47dcaf60e Mon Sep 17 00:00:00 2001
48f65f6 
From: Laura Abbott <labbott@fedoraproject.org>
48f65f6 
Date: Mon, 28 Sep 2015 14:10:34 -0700
48f65f6 
Subject: [PATCH 1/2] si2168: Bounds check firmware
48f65f6 
To: Antti Palosaari <crope@iki.fi>
48f65f6 
To: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
48f65f6 
Cc: Olli Salonen <olli.salonen@iki.fi>
48f65f6 
Cc: linux-media@vger.kernel.org
48f65f6 
Cc: linux-kernel@vger.kernel.org
48f65f6 
Cc: Stuart Auchterlonie <sauchter@redhat.com>
48f65f6
48f65f6
48f65f6 
When reading the firmware and sending commands, the length must
48f65f6 
be bounds checked to avoid overrunning the size of the command
48f65f6 
buffer and smashing the stack if the firmware is not in the expected
48f65f6 
format:
48f65f6
48f65f6 
si2168 11-0064: found a 'Silicon Labs Si2168-B40'
48f65f6 
si2168 11-0064: downloading firmware from file 'dvb-demod-si2168-b40-01.fw'
48f65f6 
si2168 11-0064: firmware download failed -95
48f65f6 
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa085708f
48f65f6
48f65f6 
Add the proper check.
48f65f6
48f65f6 
Cc: stable@kernel.org
48f65f6 
Reported-by: Stuart Auchterlonie <sauchter@redhat.com>
48f65f6 
Reviewed-by: Antti Palosaari <crope@iki.fi>
48f65f6 
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
48f65f6 
---
48f65f6 
 drivers/media/dvb-frontends/si2168.c | 4 ++++
48f65f6 
 1 file changed, 4 insertions(+)
48f65f6
48f65f6 
diff --git a/drivers/media/dvb-frontends/si2168.c b/drivers/media/dvb-frontends/si2168.c
48f65f6 
index 81788c5..821a8f4 100644
48f65f6 
--- a/drivers/media/dvb-frontends/si2168.c
48f65f6 
+++ b/drivers/media/dvb-frontends/si2168.c
48f65f6 
@@ -502,6 +502,10 @@ static int si2168_init(struct dvb_frontend *fe)
48f65f6 
 		/* firmware is in the new format */
48f65f6 
 		for (remaining = fw->size; remaining > 0; remaining -= 17) {
48f65f6 
 			len = fw->data[fw->size - remaining];
48f65f6 
+			if (len > SI2168_ARGLEN) {
48f65f6 
+				ret = -EINVAL;
48f65f6 
+				break;
48f65f6 
+			}
48f65f6 
 			memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len);
48f65f6 
 			cmd.wlen = len;
48f65f6 
 			cmd.rlen = 1;
48f65f6 
--
48f65f6 
2.4.3
48f65f6
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.