| Message ID | 20140908111843.GC6947@mwanda (mailing list archive) |
|---|---|
| State | Accepted, archived |
| Headers |
Received: from mail.tu-berlin.de ([130.149.7.33]) by www.linuxtv.org with esmtp (Exim 4.72) (envelope-from <linux-media-owner@vger.kernel.org>) id 1XQwzI-0008Nn-Rn; Mon, 08 Sep 2014 13:20:00 +0200 X-tubIT-Incoming-IP: 209.132.180.67 Received: from vger.kernel.org ([209.132.180.67]) by mail.tu-berlin.de (exim-4.72/mailfrontend-6) with esmtp id 1XQwzG-0001kB-4V; Mon, 08 Sep 2014 13:20:00 +0200 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753267AbaIHLTz (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Mon, 8 Sep 2014 07:19:55 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:44767 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752962AbaIHLTy (ORCPT <rfc822; linux-media@vger.kernel.org>); Mon, 8 Sep 2014 07:19:54 -0400 Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s88BJY5x026932 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 8 Sep 2014 11:19:35 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s88BJXdF007612 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 8 Sep 2014 11:19:34 GMT Received: from abhmp0016.oracle.com (abhmp0016.oracle.com [141.146.116.22]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s88BJXS5004100; Mon, 8 Sep 2014 11:19:33 GMT Received: from mwanda (/197.157.0.14) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 08 Sep 2014 04:19:30 -0700 Date: Mon, 8 Sep 2014 14:18:43 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: Stefan Richter <stefanr@s5r6.in-berlin.de> Cc: Mauro Carvalho Chehab <m.chehab@samsung.com>, linux-media@vger.kernel.org, linux1394-devel@lists.sourceforge.net, kernel-janitors@vger.kernel.org Subject: [patch] [media] firewire: firedtv-avc: potential buffer overflow Message-ID: <20140908111843.GC6947@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Source-IP: acsinet22.oracle.com [141.146.126.238] Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2014.9.8.111220 X-PMX-Spam: Gauge=IIIIIIIII, Probability=9%, Report=' MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05, MSGID_ADDED_BY_MTA 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1300_1399 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, INVALID_MSGID_NO_FQDN 0, URI_ENDS_IN_HTML 0, __ANY_URI 0, __CD 0, __CP_URI_IN_BODY 0, __CT 0, __CT_TEXT_PLAIN 0, __DATE_TZ_RU 0, __HAS_FROM 0, __HAS_MSGID 0, __HAS_X_MAILING_LIST 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MULTIPLE_RCPTS_CC_X2 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __TO_MALFORMED_2 0, __URI_NO_WWW 0, __URI_NS , __USER_AGENT 0' |
Commit Message
Dan Carpenter
Sept. 8, 2014, 11:18 a.m. UTC
"program_info_length" is user controlled and can go up to 4095. The
operand[] array has 509 bytes so we need to add a limit here to prevent
buffer overflows.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Comments
On Sep 08 Dan Carpenter wrote: > "program_info_length" is user controlled and can go up to 4095. The > operand[] array has 509 bytes so we need to add a limit here to prevent > buffer overflows. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Thank you. > > diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c > index d1a1a13..ac17567 100644 > --- a/drivers/media/firewire/firedtv-avc.c > +++ b/drivers/media/firewire/firedtv-avc.c > @@ -1157,6 +1157,10 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) > if (pmt_cmd_id != 1 && pmt_cmd_id != 4) > dev_err(fdtv->device, > "invalid pmt_cmd_id %d\n", pmt_cmd_id); > + if (program_info_length > sizeof(c->operand) - write_pos) { > + ret = -EINVAL; > + goto out; > + } > > memcpy(&c->operand[write_pos], &msg[read_pos], > program_info_length); > @@ -1180,6 +1184,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) > dev_err(fdtv->device, "invalid pmt_cmd_id %d " > "at stream level\n", pmt_cmd_id); > > + if (es_info_length > sizeof(c->operand) - write_pos) { > + ret = -EINVAL; > + goto out; > + } > + > memcpy(&c->operand[write_pos], &msg[read_pos], > es_info_length); > read_pos += es_info_length;
On Sep 08 Stefan Richter wrote: > On Sep 08 Dan Carpenter wrote: > > "program_info_length" is user controlled and can go up to 4095. The > > operand[] array has 509 bytes so we need to add a limit here to prevent > > buffer overflows. > > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > Reviewed-by: Stefan Richter <stefanr@s5r6.in-berlin.de> > > Thank you. Oops, that was a bit too quick. After the memcpy() accesses which you protect, there are another four bytes written, still without checking the bounds. > > > > diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c > > index d1a1a13..ac17567 100644 > > --- a/drivers/media/firewire/firedtv-avc.c > > +++ b/drivers/media/firewire/firedtv-avc.c > > @@ -1157,6 +1157,10 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) > > if (pmt_cmd_id != 1 && pmt_cmd_id != 4) > > dev_err(fdtv->device, > > "invalid pmt_cmd_id %d\n", pmt_cmd_id); > > + if (program_info_length > sizeof(c->operand) - write_pos) { So I suggest something like this instead: + if (program_info_length > sizeof(c->operand) - 4 - write_pos) { > > + ret = -EINVAL; > > + goto out; > > + } > > > > memcpy(&c->operand[write_pos], &msg[read_pos], > > program_info_length); > > @@ -1180,6 +1184,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) > > dev_err(fdtv->device, "invalid pmt_cmd_id %d " > > "at stream level\n", pmt_cmd_id); > > > > + if (es_info_length > sizeof(c->operand) - write_pos) { And likewise: + if (es_info_length > sizeof(c->operand) - 4 - write_pos) { > > + ret = -EINVAL; > > + goto out; > > + } > > + > > memcpy(&c->operand[write_pos], &msg[read_pos], > > es_info_length); > > read_pos += es_info_length; FYI, after this follows: write_pos += es_info_length; } } write_pos += 4; /* CRC */ c->operand[7] = 0x82; c->operand[8] = (write_pos - 10) >> 8; c->operand[9] = (write_pos - 10) & 0xff; c->operand[14] = write_pos - 15; crc32_csum = crc32_be(0, &c->operand[10], c->operand[12] - 1); c->operand[write_pos - 4] = (crc32_csum >> 24) & 0xff; c->operand[write_pos - 3] = (crc32_csum >> 16) & 0xff; c->operand[write_pos - 2] = (crc32_csum >> 8) & 0xff; c->operand[write_pos - 1] = (crc32_csum >> 0) & 0xff; pad_operands(c, write_pos); fdtv->avc_data_length = ALIGN(3 + write_pos, 4); ret = avc_write(fdtv); And pad_operands() is defined in the same source file as: #define LAST_OPERAND (509 - 1) static inline void clear_operands(struct avc_command_frame *c, int from, int to) { memset(&c->operand[from], 0, to - from + 1); } static void pad_operands(struct avc_command_frame *c, int from) { int to = ALIGN(from, 4); if (from <= to && to <= LAST_OPERAND) clear_operands(c, from, to); } BTW, the calculation of "to" in pad_operands appears to be wrong, but this does not affect Dan's patch. I will send an extra patch for that. Regards,
On Mon, Sep 08, 2014 at 02:40:33PM +0200, Stefan Richter wrote: > On Sep 08 Stefan Richter wrote: > > On Sep 08 Dan Carpenter wrote: > > > "program_info_length" is user controlled and can go up to 4095. The > > > operand[] array has 509 bytes so we need to add a limit here to prevent > > > buffer overflows. > > > > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > > > Reviewed-by: Stefan Richter <stefanr@s5r6.in-berlin.de> > > > > Thank you. > > Oops, that was a bit too quick. After the memcpy() accesses which you > protect, there are another four bytes written, still without checking > the bounds. Thanks for catching that. I'll send a v2 soon. Btw, my static checker complains about the remaining memcpy() in this file: drivers/media/firewire/firedtv-avc.c:1310 avc_ca_get_mmi() error: '*len' from user is not capped properly This static checker warning has a lot of false positives. I looked at the code for a long time but couldn't figure out why it thinks "*len" is untrusted. I also wasn't totally sure that it was safe? regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c index d1a1a13..ac17567 100644 --- a/drivers/media/firewire/firedtv-avc.c +++ b/drivers/media/firewire/firedtv-avc.c @@ -1157,6 +1157,10 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) if (pmt_cmd_id != 1 && pmt_cmd_id != 4) dev_err(fdtv->device, "invalid pmt_cmd_id %d\n", pmt_cmd_id); + if (program_info_length > sizeof(c->operand) - write_pos) { + ret = -EINVAL; + goto out; + } memcpy(&c->operand[write_pos], &msg[read_pos], program_info_length); @@ -1180,6 +1184,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) dev_err(fdtv->device, "invalid pmt_cmd_id %d " "at stream level\n", pmt_cmd_id); + if (es_info_length > sizeof(c->operand) - write_pos) { + ret = -EINVAL; + goto out; + } + memcpy(&c->operand[write_pos], &msg[read_pos], es_info_length); read_pos += es_info_length;