[Dropped cc to stable and LKML.] On Tue, 2017-05-23 at 22:09 +0200, Greg Kroah-Hartman wrote: > 4.4-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Alyssa Milburn <amilburn@xxxxxxxx> > > commit a12b8ab8c5ff7ccd7b107a564743507c850a441d upstream. > > Otherwise ttusb2_i2c_xfer can read or write beyond the end of static and > heap buffers. This function has another problem: it uses per-device mutexes to guard access to static buffers. This only works as long as there's a single device. It should be using per-device buffers (or a static mutex, but that's less good). Ben. > Signed-off-by: Alyssa Milburn <amilburn@xxxxxxxx> > Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxxxxx> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > > --- > drivers/media/usb/dvb-usb/ttusb2.c | 19 +++++++++++++++++++ > 1 file changed, 19 insertions(+) > > --- a/drivers/media/usb/dvb-usb/ttusb2.c > +++ b/drivers/media/usb/dvb-usb/ttusb2.c > @@ -78,6 +78,9 @@ static int ttusb2_msg(struct dvb_usb_dev > u8 *s, *r = NULL; > int ret = 0; > > + if (4 + rlen > 64) > + return -EIO; > + > s = kzalloc(wlen+4, GFP_KERNEL); > if (!s) > return -ENOMEM; > @@ -381,6 +384,22 @@ static int ttusb2_i2c_xfer(struct i2c_ad > write_read = i+1 < num && (msg[i+1].flags & I2C_M_RD); > read = msg[i].flags & I2C_M_RD; > > + if (3 + msg[i].len > sizeof(obuf)) { > + err("i2c wr len=%d too high", msg[i].len); > + break; > + } > + if (write_read) { > + if (3 + msg[i+1].len > sizeof(ibuf)) { > + err("i2c rd len=%d too high", msg[i+1].len); > + break; > + } > + } else if (read) { > + if (3 + msg[i].len > sizeof(ibuf)) { > + err("i2c rd len=%d too high", msg[i].len); > + break; > + } > + } > + > obuf[0] = (msg[i].addr << 1) | (write_read | read); > if (read) > obuf[1] = 0; > > > -- Ben Hutchings Software Developer, Codethink Ltd.