Message ID | YHaulytonFcW+lyZ@mwanda (mailing list archive) |
---|---|
State | Superseded, archived |
Headers |
Received: from vger.kernel.org ([23.128.96.18]) by www.linuxtv.org with esmtp (Exim 4.92) (envelope-from <linux-media-owner@vger.kernel.org>) id 1lWbOP-0085M6-JC; Wed, 14 Apr 2021 09:01:03 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237964AbhDNJBS (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Wed, 14 Apr 2021 05:01:18 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:47098 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350331AbhDNJBB (ORCPT <rfc822;linux-media@vger.kernel.org>); Wed, 14 Apr 2021 05:01:01 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 13E8tVXk072503; Wed, 14 Apr 2021 08:58:13 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : mime-version : content-type : in-reply-to; s=corp-2020-01-29; bh=En+uOg9GFocC1SYz6W2EUz02GPeroGC/7J/dzkiPHJg=; b=owc89vWCSuernGisM2V2yloJE7VDIss1WJJyjOeTQ46d8sX8Pk7tMEMQCvjyjr5V4IHP JqjDjbGaRr3/rN4iNfzXdnJOrsNk92esGei/xUS6we9Nwfa2XCfMdqfhUgw9af/jB9Fp m01jQOo3A2i52Ka9Tc8l48+/YRE0uc0Kk88+KyMArc2WUVpz+QXsl4HHKbR3R9hq+cCf oJspeofubzYYnUyBFo/XQbAuGCxgCU95dofRDCy9blFucxnGlL3v9GVp599RHkkyzPpL kZURL99EnS97KJuWOd57PcTuTztFdiYVq01EsCoC0HQ6xfailNMLgdAslHgz2wFHs8bt OQ== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by userp2120.oracle.com with ESMTP id 37u4nnhnuc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Apr 2021 08:58:13 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 13E8tj58096437; Wed, 14 Apr 2021 08:58:11 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserp3020.oracle.com with ESMTP id 37unx1131j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Apr 2021 08:58:11 +0000 Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 13E8w6SN023662; Wed, 14 Apr 2021 08:58:06 GMT Received: from mwanda (/10.175.166.128) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 14 Apr 2021 01:58:05 -0700 Date: Wed, 14 Apr 2021 11:57:59 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: Stefan Richter <stefanr@s5r6.in-berlin.de>, Luo Likang <luolikang@nsfocus.com> Cc: security@kernel.org, linux-distros@vs.openwall.org, Mauro Carvalho Chehab <mchehab@kernel.org>, linux-media@vger.kernel.org, linux1394-devel@lists.sourceforge.net Subject: [PATCH] media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt() Message-ID: <YHaulytonFcW+lyZ@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000001d73031$d5304480$7f90cd80$@nsfocus.com> X-Mailer: git-send-email haha only kidding X-Proofpoint-IMR: 1 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9953 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 suspectscore=0 mlxscore=0 malwarescore=0 adultscore=0 bulkscore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104140063 X-Proofpoint-ORIG-GUID: _Albd3AHUy9Ljndxg5nYNJESfSKDAPd_ X-Proofpoint-GUID: _Albd3AHUy9Ljndxg5nYNJESfSKDAPd_ X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9953 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 malwarescore=0 phishscore=0 suspectscore=0 mlxlogscore=999 priorityscore=1501 clxscore=1011 lowpriorityscore=0 spamscore=0 impostorscore=0 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104140063 Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org X-LSpam-Score: -2.5 (--) X-LSpam-Report: No, score=-2.5 required=5.0 tests=BAYES_00=-1.9,DKIMWL_WL_HIGH=0.001,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.5,MAILING_LIST_MULTI=-1,UNPARSEABLE_RELAY=0.001 autolearn=ham autolearn_force=no |
Series |
media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt()
|
|
Commit Message
Dan Carpenter
April 14, 2021, 8:57 a.m. UTC
The bounds checking in avc_ca_pmt() is not strict enough. It should
be checking "read_pos + 4" because it's reading 5 bytes. If the
"es_info_length" is non-zero then it reads a 6th byte so there needs to
be an additional check for that.
I also added checks for the "write_pos". I don't think these are
required because "read_pos" and "write_pos" are tied together so
checking one ought to be enough. But they make the code easier to
understand for me.
The other problem is that "length" can be invalid. It comes from
"data_length" in fdtv_ca_pmt().
Cc: stable@vger.kernel.org
Reported-by: Luo Likang <luolikang@nsfocus.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This hardware isn't super common so there is no embargo. Resending
through normal lists.
Oh, another thing is the data_length calculation in fdtv_ca_pmt() seems
very suspicous. Reading more than 4 bytes in the loop will lead to
shift wrapping.
drivers/media/firewire/firedtv-avc.c | 14 +++++++++++---
drivers/media/firewire/firedtv-ci.c | 2 ++
2 files changed, 13 insertions(+), 3 deletions(-)
Comments
On Wed, Apr 14, 2021 at 11:57:59AM +0300, Dan Carpenter wrote: > The bounds checking in avc_ca_pmt() is not strict enough. It should > be checking "read_pos + 4" because it's reading 5 bytes. If the > "es_info_length" is non-zero then it reads a 6th byte so there needs to > be an additional check for that. > > I also added checks for the "write_pos". I don't think these are > required because "read_pos" and "write_pos" are tied together so > checking one ought to be enough. But they make the code easier to > understand for me. > > The other problem is that "length" can be invalid. It comes from > "data_length" in fdtv_ca_pmt(). > > Cc: stable@vger.kernel.org > Reported-by: Luo Likang <luolikang@nsfocus.com> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Thanks for the report and the fix! As a quick note on alternative mitigations, it seems that CONFIG_UBSAN_BOUNDS would have caught this at runtime too. (i.e. c->operand[]'s size is known at build time, so out of bounds indexing should be detected.) -Kees > --- > This hardware isn't super common so there is no embargo. Resending > through normal lists. > > Oh, another thing is the data_length calculation in fdtv_ca_pmt() seems > very suspicous. Reading more than 4 bytes in the loop will lead to > shift wrapping. > > drivers/media/firewire/firedtv-avc.c | 14 +++++++++++--- > drivers/media/firewire/firedtv-ci.c | 2 ++ > 2 files changed, 13 insertions(+), 3 deletions(-) > > diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c > index 2bf9467b917d..71991f8638e6 100644 > --- a/drivers/media/firewire/firedtv-avc.c > +++ b/drivers/media/firewire/firedtv-avc.c > @@ -1165,7 +1165,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) > read_pos += program_info_length; > write_pos += program_info_length; > } > - while (read_pos < length) { > + while (read_pos + 4 < length) { > + if (write_pos + 4 >= sizeof(c->operand) - 4) { > + ret = -EINVAL; > + goto out; > + } > c->operand[write_pos++] = msg[read_pos++]; > c->operand[write_pos++] = msg[read_pos++]; > c->operand[write_pos++] = msg[read_pos++]; > @@ -1177,13 +1181,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) > c->operand[write_pos++] = es_info_length >> 8; > c->operand[write_pos++] = es_info_length & 0xff; > if (es_info_length > 0) { > + if (read_pos >= length) { > + ret = -EINVAL; > + goto out; > + } > pmt_cmd_id = msg[read_pos++]; > if (pmt_cmd_id != 1 && pmt_cmd_id != 4) > dev_err(fdtv->device, "invalid pmt_cmd_id %d at stream level\n", > pmt_cmd_id); > > - if (es_info_length > sizeof(c->operand) - 4 - > - write_pos) { > + if (es_info_length > sizeof(c->operand) - 4 - write_pos || > + es_info_length > length - read_pos) { > ret = -EINVAL; > goto out; > } > diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c > index 9363d005e2b6..2d6992ac5dd6 100644 > --- a/drivers/media/firewire/firedtv-ci.c > +++ b/drivers/media/firewire/firedtv-ci.c > @@ -134,6 +134,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg) > } else { > data_length = msg->msg[3]; > } > + if (data_length > sizeof(msg->msg) - 4) > + return -EINVAL; > > return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length); > } > -- > 2.30.2 >
This was marked as superseded in patchwork. What are we going to apply instead? regards, dan carpenter On Wed, Apr 14, 2021 at 11:57:59AM +0300, Dan Carpenter wrote: > The bounds checking in avc_ca_pmt() is not strict enough. It should > be checking "read_pos + 4" because it's reading 5 bytes. If the > "es_info_length" is non-zero then it reads a 6th byte so there needs to > be an additional check for that. > > I also added checks for the "write_pos". I don't think these are > required because "read_pos" and "write_pos" are tied together so > checking one ought to be enough. But they make the code easier to > understand for me. > > The other problem is that "length" can be invalid. It comes from > "data_length" in fdtv_ca_pmt(). > > Cc: stable@vger.kernel.org > Reported-by: Luo Likang <luolikang@nsfocus.com> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > This hardware isn't super common so there is no embargo. Resending > through normal lists. > > Oh, another thing is the data_length calculation in fdtv_ca_pmt() seems > very suspicous. Reading more than 4 bytes in the loop will lead to > shift wrapping. > > drivers/media/firewire/firedtv-avc.c | 14 +++++++++++--- > drivers/media/firewire/firedtv-ci.c | 2 ++ > 2 files changed, 13 insertions(+), 3 deletions(-) > > diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c > index 2bf9467b917d..71991f8638e6 100644 > --- a/drivers/media/firewire/firedtv-avc.c > +++ b/drivers/media/firewire/firedtv-avc.c > @@ -1165,7 +1165,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) > read_pos += program_info_length; > write_pos += program_info_length; > } > - while (read_pos < length) { > + while (read_pos + 4 < length) { > + if (write_pos + 4 >= sizeof(c->operand) - 4) { > + ret = -EINVAL; > + goto out; > + } > c->operand[write_pos++] = msg[read_pos++]; > c->operand[write_pos++] = msg[read_pos++]; > c->operand[write_pos++] = msg[read_pos++]; > @@ -1177,13 +1181,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) > c->operand[write_pos++] = es_info_length >> 8; > c->operand[write_pos++] = es_info_length & 0xff; > if (es_info_length > 0) { > + if (read_pos >= length) { > + ret = -EINVAL; > + goto out; > + } > pmt_cmd_id = msg[read_pos++]; > if (pmt_cmd_id != 1 && pmt_cmd_id != 4) > dev_err(fdtv->device, "invalid pmt_cmd_id %d at stream level\n", > pmt_cmd_id); > > - if (es_info_length > sizeof(c->operand) - 4 - > - write_pos) { > + if (es_info_length > sizeof(c->operand) - 4 - write_pos || > + es_info_length > length - read_pos) { > ret = -EINVAL; > goto out; > } > diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c > index 9363d005e2b6..2d6992ac5dd6 100644 > --- a/drivers/media/firewire/firedtv-ci.c > +++ b/drivers/media/firewire/firedtv-ci.c > @@ -134,6 +134,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg) > } else { > data_length = msg->msg[3]; > } > + if (data_length > sizeof(msg->msg) - 4) > + return -EINVAL; > > return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length); > } > -- > 2.30.2
On Wed, Apr 14, 2021 at 11:57:59AM +0300, Dan Carpenter wrote: > The bounds checking in avc_ca_pmt() is not strict enough. It should > be checking "read_pos + 4" because it's reading 5 bytes. If the > "es_info_length" is non-zero then it reads a 6th byte so there needs to > be an additional check for that. > > I also added checks for the "write_pos". I don't think these are > required because "read_pos" and "write_pos" are tied together so > checking one ought to be enough. But they make the code easier to > understand for me. > > The other problem is that "length" can be invalid. It comes from > "data_length" in fdtv_ca_pmt(). > > Cc: stable@vger.kernel.org > Reported-by: Luo Likang <luolikang@nsfocus.com> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > This hardware isn't super common so there is no embargo. Resending > through normal lists. > > Oh, another thing is the data_length calculation in fdtv_ca_pmt() seems > very suspicous. Reading more than 4 bytes in the loop will lead to > shift wrapping. > > drivers/media/firewire/firedtv-avc.c | 14 +++++++++++--- > drivers/media/firewire/firedtv-ci.c | 2 ++ > 2 files changed, 13 insertions(+), 3 deletions(-) > > diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c > index 2bf9467b917d..71991f8638e6 100644 > --- a/drivers/media/firewire/firedtv-avc.c > +++ b/drivers/media/firewire/firedtv-avc.c > @@ -1165,7 +1165,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) > read_pos += program_info_length; > write_pos += program_info_length; > } > - while (read_pos < length) { > + while (read_pos + 4 < length) { > + if (write_pos + 4 >= sizeof(c->operand) - 4) { > + ret = -EINVAL; > + goto out; > + } > c->operand[write_pos++] = msg[read_pos++]; > c->operand[write_pos++] = msg[read_pos++]; > c->operand[write_pos++] = msg[read_pos++]; > @@ -1177,13 +1181,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) > c->operand[write_pos++] = es_info_length >> 8; > c->operand[write_pos++] = es_info_length & 0xff; > if (es_info_length > 0) { > + if (read_pos >= length) { > + ret = -EINVAL; > + goto out; > + } > pmt_cmd_id = msg[read_pos++]; > if (pmt_cmd_id != 1 && pmt_cmd_id != 4) > dev_err(fdtv->device, "invalid pmt_cmd_id %d at stream level\n", > pmt_cmd_id); > > - if (es_info_length > sizeof(c->operand) - 4 - > - write_pos) { > + if (es_info_length > sizeof(c->operand) - 4 - write_pos || > + es_info_length > length - read_pos) { > ret = -EINVAL; > goto out; > } > diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c > index 9363d005e2b6..2d6992ac5dd6 100644 > --- a/drivers/media/firewire/firedtv-ci.c > +++ b/drivers/media/firewire/firedtv-ci.c > @@ -134,6 +134,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg) > } else { > data_length = msg->msg[3]; > } > + if (data_length > sizeof(msg->msg) - 4) > + return -EINVAL; > > return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length); > } > -- > 2.30.2 > This patch seems to have gotten lost. Any change of it getting applied? thanks, greg k-h
Hi, On Thu, Jul 29, 2021 at 12:32:21PM +0200, Greg KH wrote: > On Wed, Apr 14, 2021 at 11:57:59AM +0300, Dan Carpenter wrote: > > The bounds checking in avc_ca_pmt() is not strict enough. It should > > be checking "read_pos + 4" because it's reading 5 bytes. If the > > "es_info_length" is non-zero then it reads a 6th byte so there needs to > > be an additional check for that. > > > > I also added checks for the "write_pos". I don't think these are > > required because "read_pos" and "write_pos" are tied together so > > checking one ought to be enough. But they make the code easier to > > understand for me. > > > > The other problem is that "length" can be invalid. It comes from > > "data_length" in fdtv_ca_pmt(). > > > > Cc: stable@vger.kernel.org > > Reported-by: Luo Likang <luolikang@nsfocus.com> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > --- > > This hardware isn't super common so there is no embargo. Resending > > through normal lists. > > > > Oh, another thing is the data_length calculation in fdtv_ca_pmt() seems > > very suspicous. Reading more than 4 bytes in the loop will lead to > > shift wrapping. > > > > drivers/media/firewire/firedtv-avc.c | 14 +++++++++++--- > > drivers/media/firewire/firedtv-ci.c | 2 ++ > > 2 files changed, 13 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c > > index 2bf9467b917d..71991f8638e6 100644 > > --- a/drivers/media/firewire/firedtv-avc.c > > +++ b/drivers/media/firewire/firedtv-avc.c > > @@ -1165,7 +1165,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) > > read_pos += program_info_length; > > write_pos += program_info_length; > > } > > - while (read_pos < length) { > > + while (read_pos + 4 < length) { > > + if (write_pos + 4 >= sizeof(c->operand) - 4) { > > + ret = -EINVAL; > > + goto out; > > + } > > c->operand[write_pos++] = msg[read_pos++]; > > c->operand[write_pos++] = msg[read_pos++]; > > c->operand[write_pos++] = msg[read_pos++]; > > @@ -1177,13 +1181,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) > > c->operand[write_pos++] = es_info_length >> 8; > > c->operand[write_pos++] = es_info_length & 0xff; > > if (es_info_length > 0) { > > + if (read_pos >= length) { > > + ret = -EINVAL; > > + goto out; > > + } > > pmt_cmd_id = msg[read_pos++]; > > if (pmt_cmd_id != 1 && pmt_cmd_id != 4) > > dev_err(fdtv->device, "invalid pmt_cmd_id %d at stream level\n", > > pmt_cmd_id); > > > > - if (es_info_length > sizeof(c->operand) - 4 - > > - write_pos) { > > + if (es_info_length > sizeof(c->operand) - 4 - write_pos || > > + es_info_length > length - read_pos) { > > ret = -EINVAL; > > goto out; > > } > > diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c > > index 9363d005e2b6..2d6992ac5dd6 100644 > > --- a/drivers/media/firewire/firedtv-ci.c > > +++ b/drivers/media/firewire/firedtv-ci.c > > @@ -134,6 +134,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg) > > } else { > > data_length = msg->msg[3]; > > } > > + if (data_length > sizeof(msg->msg) - 4) > > + return -EINVAL; > > > > return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length); > > } > > -- > > 2.30.2 > > > > This patch seems to have gotten lost. Any change of it getting applied? As far I can see there was then a version 2 of the patch, but that one got list somewhere. Friendly ping on this thread :) Regards, Salvatore
diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c index 2bf9467b917d..71991f8638e6 100644 --- a/drivers/media/firewire/firedtv-avc.c +++ b/drivers/media/firewire/firedtv-avc.c @@ -1165,7 +1165,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) read_pos += program_info_length; write_pos += program_info_length; } - while (read_pos < length) { + while (read_pos + 4 < length) { + if (write_pos + 4 >= sizeof(c->operand) - 4) { + ret = -EINVAL; + goto out; + } c->operand[write_pos++] = msg[read_pos++]; c->operand[write_pos++] = msg[read_pos++]; c->operand[write_pos++] = msg[read_pos++]; @@ -1177,13 +1181,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) c->operand[write_pos++] = es_info_length >> 8; c->operand[write_pos++] = es_info_length & 0xff; if (es_info_length > 0) { + if (read_pos >= length) { + ret = -EINVAL; + goto out; + } pmt_cmd_id = msg[read_pos++]; if (pmt_cmd_id != 1 && pmt_cmd_id != 4) dev_err(fdtv->device, "invalid pmt_cmd_id %d at stream level\n", pmt_cmd_id); - if (es_info_length > sizeof(c->operand) - 4 - - write_pos) { + if (es_info_length > sizeof(c->operand) - 4 - write_pos || + es_info_length > length - read_pos) { ret = -EINVAL; goto out; } diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c index 9363d005e2b6..2d6992ac5dd6 100644 --- a/drivers/media/firewire/firedtv-ci.c +++ b/drivers/media/firewire/firedtv-ci.c @@ -134,6 +134,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg) } else { data_length = msg->msg[3]; } + if (data_length > sizeof(msg->msg) - 4) + return -EINVAL; return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length); }